23542300x8000000000000000166633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:42.061{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C8FD39FEE394D3AF46873AFC9033F6,SHA256=E8839F9EE4573EA0E3466789E39E7F4580C4F84CDE1CD0BE9CCE641F66D2CE69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:42.126{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:42.126{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000268329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:42.081{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A14F2E39F1BB4F0AEC9664EB37942E7,SHA256=D801753665C288D7353D23074EEC6A7C62AB449E13A78FD7AAD54FE48ED11584,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:43.196{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC1E152712738BE536A9BD4203F4E09,SHA256=1FFFF9A691CF5FBB9311B6A767327E7B87EB1DEB3BA0D71936FC8E61FB41A8A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000268333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:41.607{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65371-false10.0.1.12-8000- 23542300x8000000000000000268332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:43.186{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668648B420CF38D598A1A1F22854C99C,SHA256=2530F518D2D878A5C5960CA5AB617FE1360AF313D4AA13DCDC724BF075BA2F42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:44.324{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323C919D185862B150B142337FE8BB64,SHA256=13BE5B37F36EE15ED441A7D2288ECEA1E9C40E61B0BE71E10958C9A0933BFDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:44.190{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECDCB440F1760CB1913C0B2783C482FB,SHA256=061707B1A84814F67E29811CE5E2070ACF8E453AD722E51292D815C759E63724,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:45.856{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-436MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:45.397{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFE3D996272E098E17FA0B21AFDFB7D,SHA256=D428F2F2CF2479A197B403AD50686E66B18EF291F5E0C0704CE1FD561F709D8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.750{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.749{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.326{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.316{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.310{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.304{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.298{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.295{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.293{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.291{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.285{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.250{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.228{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.212{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.205{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000268343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.198{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44ABB3E48539B2AD165C0911B7145EEE,SHA256=115C6D84A1D14B1F082FA1024C4A6CE8DED031742E800AA5EF66214EC74A6C1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000268342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.194{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.183{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.171{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.160{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.150{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.135{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.085{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.083{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000166640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:46.856{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-437MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:46.428{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03662C02066DFD1E7EFEF7F344BD1116,SHA256=5ACDC6D1C5BF68C60D196C945DB5533D3C8957C09B60C8E3B8B438283448F7E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:46.228{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:46.228{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000268359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:46.207{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CCE14A1A0275A3C1C21CC09F03D7CF1,SHA256=60439AD626CA4A299892EE13240A63A91407AED2E292F6E0ACA103D91F3297F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000166638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:43.074{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55272-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000166649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.788{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E5B-6323-530F-000000007502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.788{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.788{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.788{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.788{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.788{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-3E5B-6323-530F-000000007502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.788{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E5B-6323-530F-000000007502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.789{E743DC12-3E5B-6323-530F-000000007502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000166641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.488{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B078E93E32358B0FA517B318046BAF5A,SHA256=6797B2C9F4C4F9D7B5E48C93BBC8F2018E70DDF6DDFD469232788711C48FE49E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.760{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.759{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.754{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.752{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 734700x8000000000000000268371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.730{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000268370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.729{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000268369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.728{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000268368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.726{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000268367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.725{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000268366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.724{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000268365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.723{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000268364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.311{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0413446724640F8C23B668E23E93A607,SHA256=33C2A10922466BF5471E9F1F048F7EDE1B0D6241C8B4E1BB86D0EFE74BD2821A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000268363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.223{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.223{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000166660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.876{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52644FBF711868E5A7CA3EB6F05A7C46,SHA256=675294C7954499E5F2956E88ED74458DDD8EE350B26CF190692A62695D84BBC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.559{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E592E06A05A7BF757115248FBC6421D8,SHA256=999DB1BC14EF8782DD30270E995E5C3801290B5339FDFD641BA0648524DBDB9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.561{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E35-6323-2E18-000000007402}5964C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.556{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.550{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.542{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.524{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.522{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.519{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.515{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.512{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.511{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.506{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.502{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.497{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.489{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.485{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.485{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.484{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.483{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.471{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.470{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.468{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.467{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.458{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.457{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.455{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.452{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.450{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.449{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.448{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.444{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.442{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.434{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.432{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.406{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.404{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.385{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.376{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000268390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.324{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02BC908838D2A5287BB85FECDEC8BD9,SHA256=4BD8A2E7D1F30AFFA0F9A95E622C3330CB83EC73C835554A3AC50AED181DD1B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000268389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.322{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.313{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000166658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.458{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E5C-6323-540F-000000007502}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.458{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.458{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.458{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.458{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.458{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-3E5C-6323-540F-000000007502}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.458{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E5C-6323-540F-000000007502}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.459{E743DC12-3E5C-6323-540F-000000007502}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000166650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.107{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7880516F27613A4FAC6026DA90772B2D,SHA256=7B0E0C224CB97F362C238EBECAA80920A81B0ED6BD3AF45A810602A5CB3D021C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.298{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.291{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.286{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.282{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.275{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.272{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.269{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.266{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.265{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.263{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.166{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.166{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000268429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:49.898{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCBF20A40051FA941DA2159028D9A964,SHA256=8EB3B650C4B12B1EBF8F241FD1AF543D27A8692B28AA99BF1C2C34BBBD767B12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.635{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8443D530F22F2F6F768771C8ED2E77C,SHA256=3BE61AD89CC4D7F5D2E3F48176AEC58478F4BD30937D22715A0B28965DE6BB76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000166677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.615{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E5D-6323-560F-000000007502}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.612{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.612{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.612{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.612{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.612{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-3E5D-6323-560F-000000007502}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.611{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E5D-6323-560F-000000007502}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.609{E743DC12-3E5D-6323-560F-000000007502}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000166669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.345{E743DC12-3E5D-6323-550F-000000007502}32045372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E5D-6323-550F-000000007502}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-3E5D-6323-550F-000000007502}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E5D-6323-550F-000000007502}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-3E5D-6323-550F-000000007502}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000268428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:46.648{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65372-false10.0.1.12-8000- 10341000x8000000000000000166696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.947{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.945{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.944{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.944{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.944{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.944{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.943{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.942{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000166688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.692{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F8DBFE95119EB4EEE93B63BAD0A9B3,SHA256=1F6FB6437E73121BA303987C82BB864FFF722623330353D67F7D9108A4702C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:50.943{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BDE6E4C364B5ACAB1DC51533525EDA,SHA256=A1744F2180156057F1AD55EC737E68653B726745EF4083596CD198B68148576B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:50.570{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\10509MD5=49CE5DD294C29E99FF090FB09B4D7849,SHA256=027B3824A5C28FD780E868D98A65BB4FE955950205BFC3A413BB3F7C3BA95414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000166687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.450{E743DC12-3E5E-6323-570F-000000007502}27446024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.276{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E5E-6323-570F-000000007502}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.276{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.276{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.276{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.276{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.276{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-3E5E-6323-570F-000000007502}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.276{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E5E-6323-570F-000000007502}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.277{E743DC12-3E5E-6323-570F-000000007502}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000268433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:51.947{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFF5EC721233B2A4A909C25FE218424,SHA256=6F6FC8342BB59FB81E1353FE6A2F87DDD4A85D286CF1027144A80D199EDDA7DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000166715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.769{E743DC12-3E5F-6323-590F-000000007502}45164476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000166714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.727{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF319868755610DF4F98BA4C9E4DE0A,SHA256=643C1477520F13F9B7F1DAFE80DB0E64BEC4CA44E7C39A5C123E2994565CB2B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000166713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.611{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E5F-6323-590F-000000007502}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.611{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.611{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.611{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.611{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.611{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3E5F-6323-590F-000000007502}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.611{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E5F-6323-590F-000000007502}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.612{E743DC12-3E5F-6323-590F-000000007502}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000166705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.121{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000166704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.121{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000166703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.121{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000166702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.121{E743DC12-3E5E-6323-580F-000000007502}19203964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.120{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000166700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.120{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000166699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.120{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 23542300x8000000000000000166698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.088{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=53A4F83D3F33BAF9DCCD8EEE18234202,SHA256=B335F32A80F78AA23591D9A99ABDE82E49B39594CF2329524DD4470820C377FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000166697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.094{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55273-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000268432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:51.861{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68C6C9B13FDAC014FED2B6560111236A,SHA256=F7C1CFE79DBA76549461C3591FF5EC3F5971FEF7AF1BE4BDD42EB08FCD7D705D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:52.772{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DDD1AAE9CAB78B47641DC954D85201,SHA256=43429B5E905F2A1DC17096224C7E4A8A514830514A5A41293049CA3FEFEA0605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:53.815{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623647E7D0367FEFB026F45908CA467D,SHA256=AF4BE43DA69FB60E418730DDEAD00357D6693FE1E273FE46ABFF67E001323A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:53.555{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1F60AD9A60609E6A62B9F2A4CB261735,SHA256=2EF57615119D6BC398F036A40B1270C6EC4A75F75E4E9EEE61CAD4E7B132495F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:53.051{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0030644727511236274142413BC45CCC,SHA256=EC4EFF13EA192178BB93ECF1B295246519CE8EC9F8D85814F4FBA91B75FED190,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:54.850{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56B4E06C4A1EDB53B2998E72CA6369F,SHA256=92E50C12863428951767169BC579ED471B679687E88AD620947186D86D04594C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000268437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:52.479{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65373-false10.0.1.12-8000- 23542300x8000000000000000268436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:54.055{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77130F280E7C5700CCE519C2C89275E6,SHA256=CC9FC07502AD23B5CE328F6916CE332E9D2D2956F82B88436CEBCBD7FEE98C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:55.904{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27933122738A99EB521E15783FDA1E40,SHA256=FD30BF7E509A64A83CAF379A03A217D002EE12080B9F5AED1F3C84473BEE1B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:55.261{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E21A4F0B632FA4BE1BD534FED948B2,SHA256=4A7A8C84929A4FEDF593026F1E5DF76F9961678E7BC2337D9378AF70EA94F9A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:56.938{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D94BBAAE39F982912125613B278A855,SHA256=6AED897158D5E349E1A6DBAC9F7F59E5B0CCB5465943ABF00B6433CFE274B89D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:56.727{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:56.727{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000268439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:56.266{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F5497938AC457FEFE9BE2BEF9F3D45,SHA256=3A7524392F11342B7E6D9B430CB8B719CAECB293FA33C794B4673C6669571350,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:57.272{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A360FE51037BA5EE533B857C9281FEA2,SHA256=E3322AE284DB6FA8F0C2EB6C422153296D7A26F9330CA0844698D01267977D5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000166729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.997{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.993{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.985{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.976{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.968{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.959{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 23542300x8000000000000000166723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.958{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5706BF45635FF6B75B217532907A0C,SHA256=A7C61C998C1B84CAD7B8F084882049149F47B999F25E286B59B5E3894DDFB601,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000166722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.957{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 354300x8000000000000000166721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:53.883{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55274-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000166774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.984{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EE724C3B02319C39FA7CE2E16AFF46,SHA256=B73028EF3D1614DA1844EE505834F0CEB32477E2478058BA94B57ED9D988DC28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:58.576{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439434D7EED0365C72B5C7EFF0DEC503,SHA256=4E65FF3480A87BCCB6F24FFAC4E87ED59429FB146714075F9E98D2E86797D05E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.525{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12BEBF5AB6B2D7857F5C12EE07C23559,SHA256=93AD2FDF9ECC78AC25AE01EF58363354476FED673398BA11F9143676E4CFCF8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000166772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.280{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.277{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.274{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.272{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.270{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.259{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.258{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.258{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.255{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.252{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.248{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.246{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.237{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.235{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.216{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.204{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.195{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.168{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.151{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.130{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.126{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.124{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.123{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.118{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.118{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.113{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.109{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.108{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.105{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.103{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.102{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.098{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.093{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.091{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.087{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.081{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.079{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.062{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.053{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.030{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.024{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.018{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.008{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 23542300x8000000000000000268444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:59.581{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA7A432516109C8B184FF60C866721F,SHA256=1960F037CFE18CB86F507C1055580487341661B0534E88E26E037070EAA83D1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:00.687{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F5DEE487DDC83D9D6E8D5DC4F1AD0C,SHA256=463C8AABCCA7605A3D5E8FD24E3ED910BB7765B96525499CABC1DD16BE7BD2D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:00.047{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E86B84359B804637BAFCD53AAF7FE5,SHA256=2E39D6275F84A548DAEBF1C023226CCA6A8173D72E697BA5C38FEF167156EFD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000268445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:57.565{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65374-false10.0.1.12-8000- 23542300x8000000000000000268447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:01.691{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91B0517332AC7F77343715A4E2514F5,SHA256=220FA3FA791595616720C2B1B08F91940F7C581A00FBF4F756F1397A9E2F7ACE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000166810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.212{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.212{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000166777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:59.013{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55275-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000166776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.133{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A8ECF70D2CFAD353D1844F43110001,SHA256=5F982A56CB3C9B8C3173E85B2BF600B5CC1B716640962AC422275BE69209771F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:02.695{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F3C50ACA331CFAF63F194A9665DB7D,SHA256=CDE0DE4D2CAFA816341A59DB272EA1C8FCC8DED11DEE22676E4333D0792D7150,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:02.394{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4C821004C97D7DA48A6F9D5DACEA17,SHA256=319768F1D0E4C6576FF8DFF8F6688B7B04528AE9E99A918196DBA80DAFFE5048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:03.799{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90CF41601423448ACC354E822D7F157,SHA256=3C64FC86A9CAF240F0AA8DE423E66EEDEA5ACDABCCB10D0868101F589A02D197,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:03.453{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74724E275E6626E9428B31B1271FAC94,SHA256=B2E313E8029E704815F416C482E00091CF11581A90C6BDBF042A92DEBD4AB644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:04.805{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C5A7AE52E35DEC8EA98C56458543F2,SHA256=F5496795C34E41711E187A2B3303078035479531264ECAF067E226F9B2237DC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000166815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:04.598{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:04.598{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000166813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:04.540{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060B7F6966F10DEA994F30CE57FEDC04,SHA256=BD88AC1013D760FCE1D43466B41A7AE82FD04683A05599AF31450B4B185D1E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:04.521{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-446MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000268453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:02.710{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65376-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000268452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:02.710{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65376-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000268451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:02.665{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65375-false10.0.1.12-8000- 23542300x8000000000000000268450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:04.313{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=577DFF92D767EE99141328B57F51113E,SHA256=C191CF7F3D99267B9C9F3757057D8507C20584917269FBAB45358588F3C86C92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.921{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE35389BD295B7242C5C91D622F300EC,SHA256=220DE603808A1684D55A4CC3DCDBA465C363D7E12453F84AB42AF52EF0761E45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.878{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=DA516B36F0631520290B2BAD8E47B7CC,SHA256=D6094A9A2111B56746596DF9FFE0BBD1613A3D18DDDCBF28052E2806D7BEE57F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:05.600{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B178B962B58435AF610263398FE57B,SHA256=CE3F3F21B5BD041FB03140D87424BC77F879E0A0EE38AE2875CE843DE4319715,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.721{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.713{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000268477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.520{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-447MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000268476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.292{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.283{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.267{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.264{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.256{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.251{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.250{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.248{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.240{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.212{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.195{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.190{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.180{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.173{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.154{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.131{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.125{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.114{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.106{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.071{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.065{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000166821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:06.644{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13E8292BC33AFF683780E41FF0549BA,SHA256=4F7D1B5BBA16A8C2643FD9CB1D21155CC94D1C7FECAE0DC7F9E17C1B7FF8D1B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000166820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:04.103{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55276-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000166819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:06.277{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000166818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:06.276{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000166817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:06.276{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF19aa83c.TMPMD5=39D11997735CDFDAB7051AB86B8F82E9,SHA256=34F34B56FDEF9CE630B3344FE748DFBC186169F1CA2CC69FB9A6920D5DE026AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:07.703{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895765D3C2850A7EE4618934F5C99080,SHA256=2B13E5AF295A9B6BBAF410C065857027B80D714ADD4A963E1F28842ADBF53A99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:07.734{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:07.733{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:07.727{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:07.725{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000268482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:07.124{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8995E0E999CB556EF777868218E6E13,SHA256=A47E06D0BA8BC56D882139EA294626A985FA056AC5F6E07C892FBB0BD0267202,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000166823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:07.355{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:07.355{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000166828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:08.885{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\SiteSecurityServiceState-1.txt2022-09-15 15:02:08.884 23542300x8000000000000000166827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:08.885{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000166826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:08.884{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\SiteSecurityServiceState-1.txt2022-09-15 15:02:08.884 23542300x8000000000000000166825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:08.768{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8411A2BFB5318545A0D6D407A08BF3F,SHA256=92357660AAF9A195FD646B135A229967BA07CC402150B0AA012C8F2CBDF62502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.650{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E35-6323-2E18-000000007402}5964C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.647{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.641{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.640{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.606{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.602{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.594{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.588{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.579{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.574{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.562{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.557{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.551{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.546{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.539{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.534{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.529{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.527{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.504{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.502{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.499{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.485{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.465{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.463{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.460{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.449{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.445{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.443{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.443{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.438{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.434{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.423{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.421{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.380{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.379{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.355{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.340{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.288{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.277{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.266{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.261{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.255{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.253{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.247{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.245{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.244{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.240{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.239{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.237{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000268487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.230{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCA36A03C3BFB16F6FD34289D75271A,SHA256=781A81B74B930F1BE70A2237B5BA24679D499FA907FAF5704345F4EFD8855FAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:09.812{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA3838C5558F12FE7EBB7040C283782,SHA256=99C362209D6F81E8F14E681B0B4AE223392C55F8B40C4264EECB890B4D7ABD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:09.520{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845D215BA9CD155BD846BA69211B3992,SHA256=6DAA017C45F498D8EB35BFFE36FA454AB64B229EFE3AD00CCE4D8A5D45D5388D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:10.871{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D04765031FD72B0A8AAC57D5535EF4,SHA256=B71C6D42AC4BFFC3628056BAA01F0969E6159BFE9DC04D381E8E6B76EAB9E22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:10.556{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98539130331A241E1C2B212FADAD8C89,SHA256=BDC38B1429171D384206CFD1DE5BA7C8B66C3FA44CFD5196157E548EE892E0EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000268538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.575{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65377-false10.0.1.12-8000- 23542300x8000000000000000268540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:11.561{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69743583EF66508B846644A45F054A0F,SHA256=011BDD19FE07FE4279B138095EE456C8423D88A3F94CB51675B78C78CCDD7B49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:11.916{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7444BAA958FBD2C243DE657D6751E5D,SHA256=288544408DAE2DC517F30374FAD2CE016096C17735FA8A45925058D3564AE594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:12.960{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9AAED3D03A02FEA050AC63D2D3233D,SHA256=0522385CCED1B8F5D467A0E29B01719C7B831A6362C5CC585BB5D99644F515B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:12.770{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD987B11347F47D36517A66DAF4F3DE6,SHA256=49DA59E31C0C2A03F70805BA94CD1BE8EE9A18B8196FB15415E30B1E4D97AC00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000166832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:09.874{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55277-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000268547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:13.877{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF7EBE4F7ADFBAF26F8D19E690A4145,SHA256=26F0CF394EA034D7C0CDDCA8FB55FDA2D33F4A1AFBA35D04BBE353A14F523414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:13.920{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=EFE23DFD59E556640E96E406FF97D213,SHA256=C32ECAB6F3368CE1E57BA8262CB72B12AA6ED965AFDA996015BAC1E8BE75A54B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:13.483{6820D070-DD04-6322-7906-000000007402}26563664C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:13.479{6820D070-DD04-6322-7906-000000007402}26563664C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:13.479{6820D070-DD04-6322-7906-000000007402}26563664C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:13.440{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:13.440{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000268548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:14.980{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24E18049B2BF6F9E257A56323F389A3,SHA256=EFACAF5A55D9B563DE0184FC85316ABC715B28FFB42DA1D5FBC1A5DB1F5F0B56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:14.045{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16146B13E49D7FE469227D5B1CB6B8AA,SHA256=4FB8F95897F423D4F70A481EE7C7A4765829FA4957D92BB1EDAD344CA291EE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:15.084{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F192C43A1F3431852166F3AD27E948B7,SHA256=16AFEE1EE15D64E93F708459E99814CC6BD46E78402D9449E0813447704F98BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.769{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64520A1AB422D8508C477BC3F5CD4099,SHA256=59BE87647D1495A7C816019A70974197BD97AD282EB6E5F021BE5FF5E8FB414C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000268665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.760{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\AlternateServices-1.txt2022-09-15 15:02:15.759 23542300x8000000000000000268664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.760{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000268663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.760{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\AlternateServices-1.txt2022-09-15 15:02:15.759 10341000x8000000000000000268662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.744{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017AB1B4B)|UNKNOWN(00000000011294EF)|UNKNOWN(0000000001129496)|UNKNOWN(00000000011293EA)|UNKNOWN(0000000001129313)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64) 734700x8000000000000000268661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.738{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll2.0.50727.8745 (WinRel.050727-8700)WMINet_Utils.dllMicrosoft® .NET FrameworkMicrosoft CorporationWMINet_Utils.dllMD5=FE3A877218F498F90DD1D097FB770BFA,SHA256=7B7AB5348E3143DB00D0FCE36E5A75867046B5C60FC52DC9E0A166CA2FDF714E,IMPHASH=422758B458E7A457D744549F961156CCtrueMicrosoft CorporationValid 734700x8000000000000000268660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.651{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.650{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.650{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 23542300x8000000000000000268657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.630{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE6C59BBF1F6EEFF612BECE849CCEB2,SHA256=4FE3F87D7E86B5A85AA3562FD241932AB58C08A8E59C55D2A27D7849F8AEA73E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000268656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.626{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000268655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.625{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000268654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.625{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000268653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.610{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.5246 (rs1_release.220701-1744)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=2A16D108FE99577ABCC08B92F2765971,SHA256=AF5268F39CE35FA3215E8162A0BF4C1949D0F5FB7A284953362ED23507C5697F,IMPHASH=36E120EA05F8714D20693A7DA02D7326trueMicrosoft WindowsValid 734700x8000000000000000268652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.606{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000268651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.604{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000268650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.601{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000268649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.600{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000268648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.598{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2F,IMPHASH=844732D10340F10C1E97778BA10CF30EtrueMicrosoft WindowsValid 734700x8000000000000000268647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.598{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000268646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.597{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x8000000000000000268645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.597{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x8000000000000000268644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.597{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 734700x8000000000000000268643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.595{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9,IMPHASH=CAC6B3339C5CAA083E24A4484EE86E29trueMicrosoft WindowsValid 10341000x8000000000000000268642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.592{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.588{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587B,IMPHASH=34AF29CE553D01A9CE643682A40D7CB5trueMicrosoft WindowsValid 734700x8000000000000000268640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.588{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040C,IMPHASH=789B4484C292CAC32E0806DEE3E8734AtrueMicrosoft WindowsValid 734700x8000000000000000268639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.586{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6D,IMPHASH=61592743BFAEF2F12950E5420FA2AEB1trueMicrosoft WindowsValid 11241100x8000000000000000268638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.488{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txt2022-09-15 15:02:15.487 23542300x8000000000000000268637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.488{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000268636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.487{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txt2022-09-15 15:02:15.487 10341000x8000000000000000268635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.483{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.471{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.470{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.470{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.464{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.462{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.462{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.456{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.453{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.453{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.446{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll8.0.50727.8745 (WinRel.050727-8700)Dia based SymReaderMicrosoft® Visual Studio® 2005Microsoft Corporationdiasymreader.dllMD5=7D6A7AD508368F8A41E19A593BF8152A,SHA256=9385717A62043C46A22A99893139475ACB44C0096DDE9954C9BDED721F4581A2,IMPHASH=E2ADD10FCF5C120524D6149FB9E129DEtrueMicrosoft CorporationValid 734700x8000000000000000268624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.365{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationmscorjit.dllMD5=942A0FD4301180517656DF2D7DF45574,SHA256=B9648A085BD060F253D28351E5FED798CE5893B69FA4E221D44C99F460D05936,IMPHASH=458AE5B7483D2B3344CEEB01EB67E386trueMicrosoft CorporationValid 10341000x8000000000000000268623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.362{6820D070-D2F0-6322-1500-000000007402}12522024C:\Windows\system32\svchost.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.362{6820D070-D2F0-6322-1500-000000007402}12521316C:\Windows\system32\svchost.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.362{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x8000000000000000268620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.359{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=33842D2EF1AFD0E94F73E24E55724418,SHA256=EBD2C419EB5B75270E1CC6F80FABD899C8F7B787F742CF3B0F608BB807197DF1,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 10341000x8000000000000000268619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.340{6820D070-27DD-6323-F614-000000007402}65044588C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000001301360A)|UNKNOWN(000000001AAAFDB2)|UNKNOWN(000000000343334C)|UNKNOWN(000000001AB3F017)|UNKNOWN(000000001AFF8399)|UNKNOWN(000000001AFF81F1)|UNKNOWN(000000001AFF81A9)|UNKNOWN(000000001AFF804A)|UNKNOWN(000000001AFF7EA6)|UNKNOWN(000000001AFF7CBB)|UNKNOWN(000000001AFF7B64)|UNKNOWN(000000001AFF7577)|UNKNOWN(000000001AB6832F) 10341000x8000000000000000268618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.339{6820D070-27DD-6323-F614-000000007402}65046344C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000001335D74A)|UNKNOWN(00000000009BA9C6)|UNKNOWN(00000000009BA6D5)|UNKNOWN(00000000009BA13B)|UNKNOWN(00000000009BA0BD)|UNKNOWN(00000000034BE579)|UNKNOWN(000000000354671F)|UNKNOWN(00000000009E816D)|UNKNOWN(000000000D7DD087)|UNKNOWN(0000000003542CCE)|UNKNOWN(000000000D7D69E5)|UNKNOWN(000000000333A6E5)|UNKNOWN(000000000333A62A)|UNKNOWN(000000001AFF804A) 734700x8000000000000000268617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.334{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.330{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Globalization SupportMicrosoft® .NET FrameworkMicrosoft Corporationculture.dllMD5=22E9113EA0D1D8252314F23BAD16DD36,SHA256=A731E05FCFCE0B9FCF449DFB589A49C09FC63593D61676F5EE3977CBD47C64A9,IMPHASH=104E17C81D918D1C093DA532DC4F4DBEtrueMicrosoft CorporationValid 734700x8000000000000000268615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.330{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.330{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.322{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x8000000000000000268612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.322{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x8000000000000000268611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.321{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x8000000000000000268610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.321{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B05DBB473918152F51A7F5A10FE250C7,SHA256=85EA95E8D8B1123288E84E5DC8502584288D67B2C692B118411F37774479498B,IMPHASH=A7A8E1C7D8A348EDDDA81702A2FEC068trueMicrosoft WindowsValid 734700x8000000000000000268609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.321{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x8000000000000000268608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.320{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=65BF71AD92E68AC9BCDFA13C5FF0959D,SHA256=14FDD181EF550EAE500F4B617877BD2DC04827704704A56DCF30446AEEA2882A,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 10341000x8000000000000000268607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.315{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(0000000001140472)|UNKNOWN(000000000844DDC1)|UNKNOWN(000000000844E42A)|UNKNOWN(00000000132F5640)|UNKNOWN(00000000009B6AC8)|UNKNOWN(00000000009B68B6)|UNKNOWN(000000001301BB1E)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE) 10341000x8000000000000000268606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.314{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(00000000011234C4)|UNKNOWN(00000000011233F4)|UNKNOWN(00000000011233CB)|UNKNOWN(00000000009B6AC8)|UNKNOWN(00000000009B68B6)|UNKNOWN(000000001301BB1E)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08) 10341000x8000000000000000268605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.302{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(0000000001140472)|UNKNOWN(000000000844DDC1)|UNKNOWN(000000000844E42A)|UNKNOWN(000000001301C500)|UNKNOWN(00000000009B4B8E)|UNKNOWN(000000001301BA6A)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08) 10341000x8000000000000000268604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.302{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(00000000011234C4)|UNKNOWN(00000000011233F4)|UNKNOWN(00000000011233CB)|UNKNOWN(00000000009B4B8E)|UNKNOWN(000000001301BA6A)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 10341000x8000000000000000268603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.302{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000001301C1EA)|UNKNOWN(00000000009B4C5C)|UNKNOWN(00000000009B4B6D)|UNKNOWN(000000001301BA6A)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64) 10341000x8000000000000000268602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.302{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(0000000001140472)|UNKNOWN(000000000844DDC1)|UNKNOWN(00000000009B359E)|UNKNOWN(00000000009B2AC8)|UNKNOWN(00000000009B2566)|UNKNOWN(000000001301213F)|UNKNOWN(00000000009B1F77)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 10341000x8000000000000000268601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.289{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(00000000011234C4)|UNKNOWN(00000000011233F4)|UNKNOWN(00000000011233CB)|UNKNOWN(00000000009B2566)|UNKNOWN(000000001301213F)|UNKNOWN(00000000009B1F77)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 10341000x8000000000000000268600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.289{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000001301360A)|UNKNOWN(00000000009B2520)|UNKNOWN(000000001301213F)|UNKNOWN(00000000009B1F77)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+4660a(wow64) 10341000x8000000000000000268599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.289{6820D070-27DD-6323-F614-000000007402}65046344C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(0000000013010C9F)|UNKNOWN(00000000034BE48C)|UNKNOWN(000000000354671F)|UNKNOWN(00000000009E816D)|UNKNOWN(000000000D7DD087)|UNKNOWN(0000000003542CCE)|UNKNOWN(000000000D7D69E5)|UNKNOWN(000000000333A6E5)|UNKNOWN(000000000333A62A)|UNKNOWN(000000001AFF804A)|UNKNOWN(00000000035B45C5)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+4660a(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+900db(wow64) 10341000x8000000000000000268598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.286{6820D070-27DD-6323-F614-000000007402}65041056C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64) 10341000x8000000000000000268597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.285{6820D070-27DD-6323-F614-000000007402}65041056C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000268596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.285{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET External Data Access SupportMicrosoft® .NET FrameworkMicrosoft Corporationcordacwks.dllMD5=0ACFE06D73EFBCAFACF72A22F7D79E91,SHA256=525591629E48EC84FE78DBC621AE91536E7039B50593B60AD6B3801B1F91EB5A,IMPHASH=F0FBF635B7EFD828980AA6937580AF82trueMicrosoft CorporationValid 10341000x8000000000000000268595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.284{6820D070-27DD-6323-F614-000000007402}65041056C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000268594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.284{6820D070-27DD-6323-F614-000000007402}65041056C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000268593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.281{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_d08e1538442a243e\msvcr80.dll8.00.50727.9268Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMSVCR80.DLLMD5=26A95438C2D0E0C41B73D19400F4C2DB,SHA256=CC97DCB66E3150CD14294D21AD0E10C7472DF45CAF37E49675A70ED406882BE2,IMPHASH=7FECBC4A16A5DC85A5394A1DF6217680trueMicrosoft WindowsValid 734700x8000000000000000268592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.280{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationmscorwks.dllMD5=25CEE067AED86FF988C8D31BD7212A21,SHA256=3E0987EFC92F4BCD2798934A70BBEDCADB37899B4F6225279F3685A0DB5BB2F8,IMPHASH=C8D17502D1A38C77CC8770F7291FD333trueMicrosoft CorporationValid 734700x8000000000000000268591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.279{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9,IMPHASH=313B85F092EA5CD18DD8311E8921D208trueMicrosoft WindowsValid 734700x8000000000000000268590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.278{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x8000000000000000268589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.277{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x8000000000000000268588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.276{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62A,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x8000000000000000268587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.275{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x8000000000000000268586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.275{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=8B516F883167509677B58B9984D8EEA2,SHA256=47F9B88E4038517FC8C5FEB3AC04B21A885EE505143952C96A23FE851869A90E,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x8000000000000000268585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.275{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x8000000000000000268584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.274{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x8000000000000000268583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.273{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=9629C30BA0F10D72FD189FCA987B0E29,SHA256=4DDAF3BB8CE239A8AD41F333AE7D2AD6B7763B9ED8B862695B67F60E5ADE031C,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x8000000000000000268582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.273{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6CE01AB1C2063B171AD7432B130FEBBD,SHA256=F554E9818C54F6C760C6E53BAEABCA3F5CAD683C028460307F3D93C7A8B06F02,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x8000000000000000268581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.272{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120,IMPHASH=25F1E57C7A6ED06AAF329CB7B168FA29trueMicrosoft CorporationValid 734700x8000000000000000268580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.271{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x8000000000000000268579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.270{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x8000000000000000268578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.270{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=1B90C58145F4B3C0743C470793469AD6,SHA256=21D752964E10DBB4DFC589856AA808D31E301B93C9E5FF6D1655D32FBD00AF44,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x8000000000000000268577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.270{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=C6EE0DB29435BF41835FFA96EB2F14C5,SHA256=CAF9E05D47F84728986E1BF563B3B87FAF3522F4E0CC4FD95694F418C307AD92,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 734700x8000000000000000268576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.270{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x8000000000000000268575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.269{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x8000000000000000268574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.269{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7,IMPHASH=8B861EA72FDD6FC722328B2746B13380trueMicrosoft WindowsValid 734700x8000000000000000268573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.266{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=25ADC994F9AF8716E35487995DDB45CE,SHA256=47B573E7708AAA00F2BE6E8EB7F3CB1B4817E65FACBBB1D772970A8F710DAF61,IMPHASH=6E1D0A92C1917EFBFC1EEA82FA5E155FtrueMicrosoft WindowsValid 734700x8000000000000000268572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.266{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000268571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.265{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77,IMPHASH=900F88A34CE398C54C9022F5335E8EA9trueMicrosoft WindowsValid 734700x8000000000000000268570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.265{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x8000000000000000268569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.264{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000268568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.264{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000268567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.264{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000268566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.264{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000268565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.264{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x8000000000000000268564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.263{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x8000000000000000268563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.263{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=B04953E4C38042AD2628FA49AB42AB5C,SHA256=7B2B4662D3EE0D6DD673C0FEEE4B28E2E16ABF534DF3076497C6B6B40E8BE9C1,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.263{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.262{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Temp\agent_tesla-deob.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exeMD5=CE35C7E6BD64F72A5BF8C8459A8EA05C,SHA256=9C476C5E9FD2D46E52B9221A5CCA1DD4C768516740019D8DE59C47424869C522,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 10341000x8000000000000000268560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.262{6820D070-27DD-6323-F614-000000007402}65047148C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+f6f0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+eb46(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a9a1(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000268559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.262{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.262{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.261{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.261{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.261{6820D070-DD00-6322-5E06-000000007402}34204672C:\Windows\system32\csrss.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000268554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.261{6820D070-27DD-6323-F614-000000007402}65047148C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9328(wow64)|C:\Windows\System32\KERNELBASE.dll+d800c(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a871(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a937(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000268553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.260{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exe"C:\Temp\agent_tesla-deob.exe"C:\Temp\ATTACKRANGE\Administrator{6820D070-DD02-6322-1C5A-600000000000}0x605a1c2HighMD5=CE35C7E6BD64F72A5BF8C8459A8EA05C,SHA256=9C476C5E9FD2D46E52B9221A5CCA1DD4C768516740019D8DE59C47424869C522,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000268552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.260{6820D070-D2F0-6322-1200-000000007402}965740C:\Windows\System32\svchost.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.256{6820D070-DD04-6322-7906-000000007402}26563664C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.256{6820D070-DD04-6322-7906-000000007402}26563664C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.256{6820D070-DD04-6322-7906-000000007402}26563664C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000166837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:16.130{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC57FE28305A8416A01E0DFF9ABF6592,SHA256=4C12A1CF7A69E26D8EA56AF4A6C559239BE75C220C03E693138D68479A6F7997,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000268685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.945{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\WinTypes.dll10.0.14393.5192 (rs1_release.220610-1622)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=C3EAC9E7B604696B078D4275571F58EC,SHA256=8A1F5F88F70C1BD511AE7D0E03D6ABAE1778D59D10041D17B562FE9190559A0A,IMPHASH=E5E8B16505186AC32311EE602EA3C845trueMicrosoft WindowsValid 734700x8000000000000000268684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.944{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\vaultcli.dll10.0.14393.5066 (rs1_release.220401-1841)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=0F9CC4F83FDD30CA09546038D0C1500F,SHA256=754954935A1BB01C0695252B16EDF251F7FF2D66BFB00450CF038D0AA079B844,IMPHASH=8721D7F174531C1C4F8942462C87C899trueMicrosoft WindowsValid 734700x8000000000000000268683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.923{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.922{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.921{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.818{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shfolder.dll10.0.14393.0 (rs1_release.160715-1616)Shell Folder ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationshfolder.dllMD5=83D8A4E04F99C5FD749D34CC4B970A0E,SHA256=0924F96973B3CE4F15BB7947E6C593B3EA1015E459BF70C3A247A31632EF2ACA,IMPHASH=A262E121DDB8823B3F2D530403B9D7E9trueMicrosoft WindowsValid 10341000x8000000000000000268679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.805{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.804{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.779{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017AB1B4B)|UNKNOWN(00000000011294EF)|UNKNOWN(0000000001129496)|UNKNOWN(00000000011293EA)|UNKNOWN(0000000001129313)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64) 354300x8000000000000000268676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:14.480{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65378-false10.0.1.12-8000- 23542300x8000000000000000268675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.274{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1BB1929A0D2C92D6FD38F71FB52DB7E,SHA256=BBAF3DDE0782C1A6995B1BD3DCB24A464C73A232E316C904579994E666005DDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.146{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F31C21A6DE86CBBDF8E66DFF43E0F7C1,SHA256=8C875D62AD8AAE3A76252EC203CC9EC9BCB19CFE9F8C93211D69C3CC6C3E8F24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.122{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3BE95F4D916662566F0E83E95D358C,SHA256=4410BF9A2793289DC81A867F9049BF7B71B66FAF4C9596EBD82B58F74DF0459C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000268672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.115{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000268671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.115{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000268670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.114{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000268669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.113{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000268668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.113{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000268667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.113{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000166841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:17.991{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000166840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:17.977{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000166839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:17.974{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000166838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:17.189{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743DAAF08DE633FE12571CB36254E944,SHA256=AFC813E04E5924D24EF2B874DE98CA66FCE1446BA0ED7733EA258F65F6B1694A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:17.899{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:17.133{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4D51EA79FE71B4A766FA8B819A6A0E,SHA256=1FCFE91012135517376E4AB85212D9550AB18258FC68C26E633871E691883231,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.935{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=AB4128D5D47843824FAFD1E5A64457D5,SHA256=B0D877932E28876DD0B49F44D3BFD42290A8829F2F1A284DF11E2D983B98BB68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000166890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.344{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.341{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.339{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.337{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.335{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.325{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.324{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.324{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.321{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.318{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.315{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.313{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.306{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.304{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.287{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.276{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000166874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.273{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E6E8857E6A84774C8B989336F42DB3A,SHA256=68E8FB8D81EFAB609C7DA50F494F6F9A977FCB747D04ECFEE6E905592FC06FE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000166873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.267{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.247{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.241{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.231{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.226{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.225{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.223{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.219{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.214{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.211{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.208{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.207{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.205{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.204{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.202{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.198{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.194{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.191{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000268742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.555{6820D070-3E7A-6323-3718-000000007402}79242820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.555{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000268740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.554{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000268739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.027{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65379-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000268738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.015{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local50644- 354300x8000000000000000268737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.012{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52136- 734700x8000000000000000268736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.352{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000268735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.351{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000268734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.350{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000268733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.349{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000268732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.348{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000268731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.347{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000268730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.347{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000268729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.347{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000268728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.346{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000268727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.340{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000268726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.339{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000268725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.339{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000268724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.339{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000268723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.339{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000268722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.339{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000268721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.339{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000268720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.339{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000268719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.338{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000268718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.338{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000268717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.338{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000268716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.338{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000268715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.338{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000268714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.337{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000268713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.337{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000268712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.337{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000268711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.337{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000268710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.336{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000268709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.336{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000268708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.336{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000268707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.335{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000268706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.335{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000268705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.335{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000268704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.334{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000268703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.334{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000268702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.334{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.334{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000268700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.333{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.332{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000268698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.332{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000268697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.332{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.331{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000268695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.331{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.331{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.331{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.331{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.331{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000268690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.330{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000268689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.328{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000268688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.138{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9427C6EEE519692240489E4128701B,SHA256=F02A100748AB839BD872F5BCF7A554423C87ADBBECE0ACFE36F3F88950FDB332,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000166855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.188{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.182{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.176{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.156{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000166851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.142{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000166850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.092{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000166849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.081{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000166848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.065{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 354300x8000000000000000166847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:15.006{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55278-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000166846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.047{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000166845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.025{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000166844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.020{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000166843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.013{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000166842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.001{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000166892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:19.595{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D612DC49EF23A1417F50C34B55EEBB,SHA256=40BB9434E26F1D8265BBA7458A53D1EC8D673C6A53C63F3AD79A04A1B254004D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000268855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.854{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000268854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.854{6820D070-3E7B-6323-3918-000000007402}62645764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.854{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000268852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.853{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000268851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.696{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000268850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.696{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000268849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.695{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000268848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.694{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000268847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.693{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000268846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.692{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000268845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.692{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000268844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.692{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000268843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.686{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000268842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.685{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000268841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.685{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000268840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.684{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000268839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.684{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000268838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.684{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000268837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.684{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000268836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.684{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000268835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.683{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000268834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.683{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.683{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000268832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.683{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000268831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.683{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000268830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.683{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000268829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.683{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000268828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.683{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000268827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.683{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000268826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.683{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000268825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.683{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000268824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.682{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000268823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.682{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000268822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.682{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000268821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.682{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000268820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.682{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000268819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.682{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000268818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.682{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000268817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.681{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000268816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.681{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.680{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000268814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.680{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000268813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.679{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.679{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000268811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.679{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.679{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.678{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.678{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.678{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000268806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.678{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000268805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.677{6820D070-3E7B-6323-3918-000000007402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000268804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:17.357{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65381-false10.0.1.12-8089- 354300x8000000000000000268803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.160{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65380-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 23542300x8000000000000000268802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.399{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654687D1675592366BCC6DE5E488FED7,SHA256=2336FC74368C55BB4865C620B63371DEBBE8B9E51569A2F18A400086A260323E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.396{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B011649CBAC155C594D83DE3E61D95,SHA256=1FD4EC5223876166346E62982B63FCD0BC5B238082143A8ADF933410FCD4CE96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000268800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.326{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017AB1B4B)|UNKNOWN(00000000011294EF)|UNKNOWN(0000000001129496)|UNKNOWN(00000000011293EA)|UNKNOWN(0000000001129313)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64) 10341000x8000000000000000268799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.305{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.294{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017AB1B4B)|UNKNOWN(00000000011294EF)|UNKNOWN(0000000001129496)|UNKNOWN(00000000011293EA)|UNKNOWN(0000000001129313)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64) 734700x8000000000000000268797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.210{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000268796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.209{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000268795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.208{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000268794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.032{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000268793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.031{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000268792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.030{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000268791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.030{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000268790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.028{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000268789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.028{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000268788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.027{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000268787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.027{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000268786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.020{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000268785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.019{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000268784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.019{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000268783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.019{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000268782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.018{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000268781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.018{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000268780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.018{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000268779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.018{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000268778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.017{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000268777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.017{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000268776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.017{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000268775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.017{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000268774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.017{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000268773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.017{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000268772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.017{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000268771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.016{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000268770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.016{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.016{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000268768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.016{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000268767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.016{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000268766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.016{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000268765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.016{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000268764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.016{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000268763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.016{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000268762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.016{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000268761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.015{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000268760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.015{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000268759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.015{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000268758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.015{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000268757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.014{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000268756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.014{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000268755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.014{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000268754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.013{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.012{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000268752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.012{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000268751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.011{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.011{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000268749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.011{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.011{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.010{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.010{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.010{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000268744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.010{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000268743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.008{6820D070-3E7B-6323-3818-000000007402}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000166897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:20.652{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8939024FD2ADA3912FCAFDDAAF1DA78B,SHA256=F1EAF88155A436D3F715E2CA301FDB2869E58598EC5B85979ECCABC93CC9D44E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.934{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=89C11BE8AEAB70F4D92F37B7D6001575,SHA256=16597F3456C165A180F4F34DA27B4A7F9F89667EF5DFA31F4172777FE06BD14E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.736{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A46A9AAF3503CF3CB986AF60997495,SHA256=6BAF0459B33C426470F62B0F9A6D36C5D1EA2343F8FF861A85055CE9C0D95550,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000268927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.610{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94,IMPHASH=58B9E3FB550C715872D0FDCF7F80C373trueMicrosoft WindowsValid 734700x8000000000000000268926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.608{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6A,IMPHASH=C910DDFE30DC1006ADAE67F73F17158EtrueMicrosoft WindowsValid 734700x8000000000000000268925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.560{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000268924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.558{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000268923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.557{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000268922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.539{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000268921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.144{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61218- 354300x8000000000000000268920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.142{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local54209-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x8000000000000000268919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.142{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64330- 354300x8000000000000000268918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.142{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61479- 354300x8000000000000000268917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.142{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61479-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domain 10341000x8000000000000000166896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:20.384{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:20.384{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:20.384{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:20.366{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.513{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4,IMPHASH=3BCAD7DA03A0242A2A34491F77EA8067trueMicrosoft WindowsValid 734700x8000000000000000268915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.504{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839,IMPHASH=DC23FFFD2EBC3578D9A77CC0B9DC22C2trueMicrosoft WindowsValid 10341000x8000000000000000268914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.504{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.502{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=68C7867BEB2A710D14B70D96C4D7DE4E,SHA256=DA093049898D4608579C739B6A63DC98A3FBA57ABDDBFB94C48D2A8335BA0CBD,IMPHASH=02FB3A0617EDCFE43788537F1544278CtrueMicrosoft WindowsValid 734700x8000000000000000268912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.501{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=48821439687840212B6457EDD266FA1C,SHA256=F3E9CC2B98D7E0CEBCFCC7906926E839436358437EF10E335CAF7FFAB9E13DC5,IMPHASH=F55036BC63B11DD610F1F8CFD77D76A7trueMicrosoft WindowsValid 734700x8000000000000000268911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.500{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171,IMPHASH=5C77750BF609660A7729B242FA74E98CtrueMicrosoft WindowsValid 734700x8000000000000000268910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.499{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6,IMPHASH=228F99E8B005CFF18296089AF6DEA022trueMicrosoft WindowsValid 734700x8000000000000000268909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.499{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0,IMPHASH=2B9681B9C7B5E00CD2814399F4685385trueMicrosoft WindowsValid 23542300x8000000000000000268908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.422{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D858D4B830E4974A756816FBBBD2A140,SHA256=C2EAC05B1E04841BE86F6110B0C7F5C1B87CFE788204F48229545873BAF55C52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.420{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D804977787C93DFC5E3E45875EEAE5F,SHA256=E466FD43F5B1E9CBEBFD22A29B182C70DB382A5A141A34F8E7EA28A76E574B3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000268906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.374{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000268905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.373{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000268904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.373{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000268903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.372{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000268902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.370{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000268901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.361{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000268900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.361{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000268899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.353{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.353{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000268897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.353{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.352{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000268895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.352{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.352{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000268893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.352{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000268892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.352{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000268891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.352{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000268890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.351{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000268889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.351{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000268888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.351{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000268887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.351{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000268886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.351{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000268885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.351{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000268884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.351{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000268883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.351{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000268882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.351{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000268881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.350{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000268880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.350{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000268879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.350{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000268878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.350{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000268877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.350{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000268876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.350{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000268875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.349{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000268874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.349{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000268873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.349{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000268872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.348{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000268871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.348{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000268870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.348{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000268869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.348{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.347{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000268867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.347{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.346{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000268865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.346{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000268864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.345{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.345{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000268862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.345{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.345{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.344{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.344{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.344{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000268857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.344{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000268856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.343{6820D070-3E7C-6323-3A18-000000007402}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000166900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:21.783{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=0F8F795E357674AD9E7EF403F6A68FA1,SHA256=867D86DE2876D8B3875195826AAD36D01CA5947A511BBEAF8FF1DCD526A6375E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:21.699{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58F9180CF80E5F1CBC2537711487CDC,SHA256=76E65E90206B761C4B77E6FE29B89DA7FF52177305F42F55A1595DB4A1E48CA8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000269040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.864{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000269039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.864{6820D070-3E7D-6323-3C18-000000007402}50166224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.864{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000269037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.863{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000269036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:19.601{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65382-false10.0.1.12-8000- 22542200x8000000000000000269035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.574{6820D070-3E77-6323-3618-000000007402}5052testgoatsmtp.com0::ffff:127.0.0.1;C:\Temp\agent_tesla-deob.exe 22542200x8000000000000000269034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.638{6820D070-EFF0-6322-ED08-000000007402}4396etsy.map.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000269033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.761{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EA9E2804B14287A58F6D26257D538B,SHA256=5742F926AF2AF58978B745D678F2372553F42BA8E30B06E8669948F4B876E5D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.760{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55EDEB204CFFEA26636D01CD30BCA1E,SHA256=6000791B038CDB88A7A5434B4F96DA8C6C7F83963EE52A47575156256B3A648F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.758{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DFA764CA0EEB0630C1D27DA4566B4F89,SHA256=E6F7B0C398CFC8D55EC887B2B728F91A0659FD85919C21396D102E81D524939C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000269030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.710{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000269029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.710{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000269028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.709{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000269027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.709{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000269026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.707{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000269025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.707{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000269024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.706{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000269023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.706{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000269022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.700{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000269021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.700{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000269020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.700{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000269019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.699{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000269018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.699{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000269017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.699{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000269016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.699{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000269015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.698{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000269014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.698{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000269013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.698{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.698{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000269011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.698{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000269010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.698{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000269009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.698{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000269008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.698{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000269007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.697{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000269006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.697{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000269005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.697{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000269004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.697{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000269003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.697{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000269002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.697{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000269001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.697{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000269000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.697{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000268999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.697{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000268998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.697{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000268997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.697{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000268996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.696{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000268995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.696{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.695{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000268993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.695{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000268992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.694{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.694{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000268990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.694{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.694{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.693{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.693{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.693{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000268985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.693{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000268984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.692{6820D070-3E7D-6323-3C18-000000007402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000268983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.675{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\2896MD5=B5BB92A797FD91FBBFA09B2413361F90,SHA256=3CB7B4A8729D5E4C4AEC90F4334F29EAC65BEDF9A1DF93D2C21108A06A3ACBB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.675{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\12805MD5=53A16E81FF9A346A5ED8090DF7D7F189,SHA256=CDBEDDBE416C2749284AE98432E6AC295BEA078CBEAC5BA5D05426218B31A1CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.674{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\24583MD5=AF71BCDA0A5A8BCE6EE83C497DBFDBFE,SHA256=160CBD8EC8F4C337A4F1522195BF250B3A6B77A11087B82F6B8166DC6D3C7E77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:21.167{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=29D17BE7EFA125232648947AEC1759B3,SHA256=DAC1BDA379ED960E2951CE586ED1FD862F70699CCB1ED62DDEB181850A18173A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000268980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.194{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000268979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.193{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000268978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.192{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000268977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.036{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000268976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.034{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000268975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.034{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000268974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.033{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000268973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.031{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000268972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.031{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000268971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.031{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000268970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.031{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000268969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.025{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000268968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.024{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000268967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.024{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000268966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.023{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000268965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.023{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000268964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.023{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000268963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.022{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000268962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.022{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.021{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000268960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.021{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000268959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.021{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000268958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.021{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000268957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.020{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000268956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.020{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000268955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.020{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000268954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.020{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000268953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.020{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000268952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.020{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000268951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.020{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000268950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.020{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000268949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.020{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000268948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.019{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000268947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.019{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000268946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.019{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000268945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.019{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000268944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.019{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000268943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.019{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000268942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.019{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 10341000x8000000000000000268941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.018{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.017{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000268939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.016{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000268938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.016{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.015{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000268936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.015{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.015{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.015{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.015{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.015{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000268931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.014{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000268930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:21.013{6820D070-3E7D-6323-3B18-000000007402}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000166902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:22.844{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2307198A167DB99C9FD1B09A23EC24E7,SHA256=5FC80CDC45479751AA33D08EA293C1CF37027BFC0AFC32719D584176AFCCA9ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000269096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.098{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-65383-false127.0.0.1-25smtp 354300x8000000000000000269095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:20.098{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-65383-false127.0.0.1-25smtp 734700x8000000000000000269094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.543{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000269093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.543{6820D070-3E7E-6323-3D18-000000007402}39121272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.535{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000269091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.534{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000269090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.419{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138FBB1AC50A754A7B50D1DEA72910EF,SHA256=DF5707EC41C2956DF8D7077DA02222B891F5B7ACC87AE1FB3C8861AADEA843F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000269089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.317{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000269088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.316{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000269087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.316{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000269086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.314{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000269085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.312{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000269084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.312{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000269083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.309{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000269082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.309{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000269081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.297{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000269080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.297{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000269079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.295{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000269078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.295{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000269077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.295{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000269076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.294{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000269075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.294{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000269074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.294{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.294{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000269072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.293{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000269071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.293{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000269070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.293{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000269069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.293{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000269068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.293{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000269067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.293{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000269066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.292{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000269065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.292{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000269064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.292{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000269063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.292{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000269062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.292{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000269061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.292{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000269060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.289{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000269059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.289{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000269058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.289{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000269057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.289{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000269056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.289{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000269055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.289{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000269054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.288{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000269053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.287{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.284{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000269051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.284{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000269050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.283{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.283{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000269048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.283{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.283{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.283{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.283{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.282{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000269043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.282{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000166901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:22.369{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000269042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.281{6820D070-3E7E-6323-3D18-000000007402}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000269041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:22.102{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEAED758EF6CE733BF54F7E345861868,SHA256=BAC98C02E45B771C21764B28D00116D7B7CFB18434C740870F18C40A3B894544,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:23.888{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0294AE16802E9B4D90FCA1E46C60B3E8,SHA256=9A434E520195982B0E9BC6B22517743094AA6499A8136BA8E3573EF18C5300D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:23.814{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9D71348920834F2281CB0F7A52BF76,SHA256=302B74A035EA2427A964BA01FB1C4E90FBC656B90839FD0E84016DD96E3B03A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000166903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:20.047{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55279-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000269098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:23.754{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6B9D14680ED8CAA1C51889C5014DA2EC,SHA256=969B90672BF21A0DD832C9C3AA40052AE3A043F2FA8666BA26C0A91E738AB594,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:23.058{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67EB0FF8AF316BDB41E34314EF4DDCB,SHA256=F654BF6250E09F1E970ED63DC80D2705D98BA3119E36DA9D62525BD20E77AAD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:24.817{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8427F48320FF7E706861ECD91F111C5,SHA256=CE8469110E407E589F99682A197933500A0DBD9EF7CB16855C7BFC3C7A8B420C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:24.974{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C21EB870ABE7AA607C71BEBA38EF2C,SHA256=20C358E8B2B62535B9712CD88A5F7F0CD192923DF128216D2E4B8E057B2273EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000166905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:21.219{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55280-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000269123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.599{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.598{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.255{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.249{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.240{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.236{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.231{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.228{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.227{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.225{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.220{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.193{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.180{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.174{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.166{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.159{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.151{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.141{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.135{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.126{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.119{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.078{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.076{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000269124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:26.028{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E0F5FD6991B5E2831BC575F46FB097,SHA256=3AED8ABCC902060B23724D2EBD4633CF71A5375E278445A31C866FD273C1B886,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:26.030{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2D6F3F8F6FCA6ADD94B798195B40ED,SHA256=FD2EE0347D45A22CAAC62EFC6E15C74AEC6FFB965BD10902750496ECBD48457E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:27.613{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:27.611{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:27.606{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:27.604{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000269125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:27.031{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F72CF54AC3D5A4A9D06A58C5CBF6901,SHA256=953980D365AEA67C2FBD97E619D1D660BECC471C9C915B47A1629104EB95DF96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:27.051{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB073754C5602E337B6A66BE0E49489,SHA256=4E3982A85400FA32EBAE20CAC809D7A87A69B794BCEA545662D3AE1BEBA4F305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:28.111{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA854EBF6C36A4A842045D65CD8AFEF,SHA256=0D8BD179D90F4F7C8EF6CB68212CCAA517C66F291E008ABC2A106C0BD171BE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.932{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B110AF914B776B1952D724E0EDFCDE,SHA256=7002792944BD66FD1E65AA39F20C05F15B2D52410FB35B87D1CCAAA6097777C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.664{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.663{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7EB0B994422CEC5F8B4EB8F30D6562A8,SHA256=99BD2BFBDF85AD77CF04D5143771C027E6521787CCCFC2361DF59F227452403D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000269180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.351{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.348{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.343{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.342{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.316{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.313{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.311{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.308{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.305{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.304{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.300{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.296{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.293{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.290{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.287{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.286{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.286{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.285{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.273{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.272{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.271{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.269{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.261{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.260{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.257{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.255{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.252{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.251{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.251{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.247{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.244{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.237{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.235{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.215{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.214{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.200{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.191{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.156{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.147{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.139{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000269140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.135{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBC1870017CB91169139319BCBA2728,SHA256=B5F70E3D4DC74F0FFFAB518293D66400C74ECD482C104CBD6FDD7175E0944927,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000269139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.134{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.132{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.130{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.127{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.122{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.121{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.118{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.117{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000269131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:28.115{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 354300x8000000000000000269130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:25.560{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65384-false10.0.1.12-8000- 23542300x8000000000000000166911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:29.230{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AB3784F0FF768AE9C44A2E8763BDAC,SHA256=1ACD89116A485395A413F7EB08D32EEBF0BA5B1E3C18122E30E618B2D6ED3D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:29.060{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED4D467BAD21050C92A4109DB9D2B91,SHA256=69019AF2A4A7373D3EF942D203ED8E8B23C2FB09AACFD01A6629F2B94B266869,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000166910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:26.059{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55281-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000166912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:30.283{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFC041ED54727E77DC690F699B3FC45,SHA256=780F3F86F630D97648125C552B1F9CA07C4BC87823A41F6BC23F79D4875FC574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:30.063{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE6F03D38173A02F2886922815AD9E1,SHA256=B38525EC1477A9245E48314E59F27D09345B1CB9BE42A6217F6D3738D8812CD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.864{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DFA54CCE42F6327FE8CA171D83C520,SHA256=A25ED1612F0BC6FC96C737C1E9CB3A1A8F90FC2DAC4AD71CD4E8C040FB0898E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000269248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.734{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.734{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.734{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.734{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.734{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.734{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.734{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.734{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.734{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.734{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.734{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.734{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.733{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.733{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000166913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:31.383{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0824C0835B5BA5A76EFEF12E1A7DFC2C,SHA256=DBBCD4F65CD72C5C643ECB5201A3738A7451DBD17FFE7A56A1833F2E898467B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.733{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.733{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.733{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.733{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.733{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.733{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.733{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.733{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.733{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.733{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.733{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.733{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.732{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.731{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.731{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.731{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.731{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.731{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.731{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.731{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.731{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.731{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.731{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.730{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.730{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.730{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.730{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.730{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.646{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.646{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000269187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.321{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A6E5A326C74F6FD389E69C712D407BA1,SHA256=8E2544BCA3FE464632C473983FDAAA3D8054EE8AE1159B691F808419E9A71347,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:31.267{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2184D06181B706124C588789FB58523,SHA256=700C7727CCD41B581E9C136495D867FB45154E0F28653E6A71B018A35F8E1EA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:32.500{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3E304C13B13A1910D3A89C617FF1FF,SHA256=870CC790E2C9538F425DFAF05E7AD441FE209E60C8E7FA06483D34F13AF1DF88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:32.501{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9644B3D75A371D7991E19336BFBF45,SHA256=0C6D036B785B1BC86005CD2A831857A86E2626922BB18285CC6703D3EDF0EDCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:33.617{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16CDC2ACC1D92DA0EA9D428251B3D96,SHA256=692B4170FA2968F2B34BECA7B04766E48C132099EA20DB159EC9D7A01EC13427,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000166915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:33.532{E743DC12-D550-6322-0D00-000000007502}7843528C:\Windows\system32\svchost.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000269252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:33.605{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D65AD5CA35B0C37DC9E7A4988E4928,SHA256=20791081D2F3FCB123C8F315B2B2B42834F2F6CD90303B2019EDEAEF98052361,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000269251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:30.650{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65385-false10.0.1.12-8000- 23542300x8000000000000000166918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:34.635{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CD25259220880A684746F0E1D956CD,SHA256=F11571CADF6B409655EB6099035E6463EC18AA1E2BB6F0FDDF6EE9E64887A533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:34.810{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B94C471152EC4338159FFF28E620EE,SHA256=FB41E2CEE1998D325C68A2C8F420B0D42CC084209E8E7C4BA479472F4FE115E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000166917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:31.065{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55282-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000166919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:35.761{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6232022D2D5027B095E7D417F809C878,SHA256=D5E4FAC619723D89DD1083980C0482DF277432947F2AFE39820D8E8C17727942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:35.813{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8300CC4CBE8C0031BEF0E6F2F8DE7656,SHA256=4EE3288549E9B7CA856A748531F2C1792402EF7AE9E2F3A8294755A4957DC2A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:36.918{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997168DE05DBE8D0644F73D2B726B879,SHA256=31E955D95424415A827BF5F4519FA03181B6656F3B88F424E574AFD59B1AA3C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:36.788{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416F01F574E63E5048E553DBF9DA5489,SHA256=BD6C9F981ECBA9452B546ABC5A007EDAE62A510E5D71C441ABBB26CE47FB44EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:36.738{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:36.738{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:37.993{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:37.980{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:37.971{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:37.959{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:37.956{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000166921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:37.921{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3768F8B47823A94F5A0D5BC5DC00A024,SHA256=6603F79C220AE9AA4971E2ACD46A3E033C80EB5B9EA323F1FC7172F490FB3B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:38.122{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210C8ACC208C2FED512E43BAC6827074,SHA256=B96BB7D0EC57B5559FAE22DD69DE58681B495D351FF2B63FA628F97E7D3C8EF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.410{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141393E6DEDD56688CF44A6CACADA6E6,SHA256=2EF5345C112EC377E665EEEEB1A853B289BC12B61F742F3C4071FDBD08E26E4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000166971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.293{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.293{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.288{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.285{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.283{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.265{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.263{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.262{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.256{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.249{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.239{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.234{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.225{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.223{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.205{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.191{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.181{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.159{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.149{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.134{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.122{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.120{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.118{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.116{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.115{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.111{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.109{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.108{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.105{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.104{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.102{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.100{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.092{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.090{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.086{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.080{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.078{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.066{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.059{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.036{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.029{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.022{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.015{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.005{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:38.000{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000269260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:39.228{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9356E3F48E56DA244EBAB2EFB94BB0C7,SHA256=E9ECEA1735238CDC0215553E9C203428D23020703A3FD7DE6B17B80F2EBC665B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000166983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:02:39.605{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000166982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:02:39.605{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x019b2a7b) 13241300x8000000000000000166981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:02:39.605{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c90b-0xd0b44fc8) 13241300x8000000000000000166980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:02:39.605{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c914-0x3278b7c8) 13241300x8000000000000000166979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:02:39.605{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c91c-0x943d1fc8) 13241300x8000000000000000166978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:02:39.605{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000166977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:02:39.605{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x019b2a7b) 13241300x8000000000000000166976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:02:39.605{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c90b-0xd0b44fc8) 13241300x8000000000000000166975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:02:39.605{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c914-0x3278b7c8) 13241300x8000000000000000166974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:02:39.605{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c91c-0x943d1fc8) 23542300x8000000000000000166973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:39.004{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759712B66C1D9E4213D5A0DFAB3BA264,SHA256=3995A79A4F5110372BA811448766A385855F5CF6C0C59F635BD88DD659704921,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000269259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:36.583{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65386-false10.0.1.12-8000- 10341000x8000000000000000269263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:40.566{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:40.566{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000269261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:40.532{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1E590197E572B9D1AB2FB75BDB9E724,SHA256=641B50ADC23C2FD21015D5AE1D4D66257456ADA75B55559D3C1BC32BEF70A272,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000166986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:36.920{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55283-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000166985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:40.205{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=422BAC94C79F2D47D7169D8DFD15A292,SHA256=264D0BF76F364011BC60EED029707D6E260CEB6B2C7D74DEDE9C1F70EE990F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:40.121{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C41C9AAB646C3CBD1D80FD3124D8710A,SHA256=A28A4E03DEB50029E0C9B6CE77A66D027768D0375175CAA4CB3F89F71BE77DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:41.640{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50C0110C3CB6135FDF2EFE2FEBA3F10,SHA256=A396C6CBFA7B4CE8282D8B5B2CC73ADEED6348A9C5F098760388A7CB6707F35A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:41.239{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942202FC57B423CF8A1B21D09F938031,SHA256=0F08AF23EC93893859BBAF70829BDDB50E53740F983300D82B0E1B80EDFB0FD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:42.647{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E625E67AB23ED7E90C04E9D199CEC06D,SHA256=7A6FD608501F9EBA8CDBC08DFFE706885C9F8FE22CBF61BD194A83443FD9150E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:42.376{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B5FD4521E4B1DC1314B5123E5B692F,SHA256=180B05BB12D4720EEF9B009396AD2B160C9D028C640C32FC05A0ED25224DCC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:43.752{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1816D83DF1D5085F8DC430359D0F8F70,SHA256=41F96228A3BAF3424D01A0B792DF1C3AEB770779061FFC400732229661B7D6CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:43.466{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5294CDD975FDDAD12243686272EEFF99,SHA256=625DDCE229055DCB32843F7D50EB8693C20D25138140A1E2BC207C7E0CDA8E78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:43.139{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:43.139{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:43.129{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:43.129{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000166990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:44.492{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFBBA1F6617FFA6F1270DD0DB3A93C11,SHA256=75646F4042837B0C53A822F066F819B940CAC21DD9258DD75EEE55DF837EAE00,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000269278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:44.567{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationAccessibility.dllMD5=B2E013306A84513CA912FF6DE4F53C4F,SHA256=AB56D0A7507FBBB187D165BAA5046F210D14D18FCDBCFE494EF7794843917F97,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000269277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:44.566{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationAccessibility.dllMD5=B2E013306A84513CA912FF6DE4F53C4F,SHA256=AB56D0A7507FBBB187D165BAA5046F210D14D18FCDBCFE494EF7794843917F97,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000269276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:44.566{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationAccessibility.dllMD5=B2E013306A84513CA912FF6DE4F53C4F,SHA256=AB56D0A7507FBBB187D165BAA5046F210D14D18FCDBCFE494EF7794843917F97,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000269275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:44.562{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85,IMPHASH=60EA58ED63BD25EC1709F72F112B0086trueMicrosoft WindowsValid 734700x8000000000000000269274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:44.518{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Drawing.dllMD5=10E731CD4FE19798054F2D564012364F,SHA256=F23C4888571741A8528631F72F21F061F936626F11CC43FB851DC1A2D73B2E9B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000269273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:44.517{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Drawing.dllMD5=10E731CD4FE19798054F2D564012364F,SHA256=F23C4888571741A8528631F72F21F061F936626F11CC43FB851DC1A2D73B2E9B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000269272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:44.517{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Drawing.dllMD5=10E731CD4FE19798054F2D564012364F,SHA256=F23C4888571741A8528631F72F21F061F936626F11CC43FB851DC1A2D73B2E9B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 354300x8000000000000000269271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:41.673{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65387-false10.0.1.12-8000- 23542300x8000000000000000166992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:45.567{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91C0B28CF5BFA69D3F4F729C5AB9A4E,SHA256=4DEEA3B31162B0982E2EC84E94687C0AB23B192A4BCE93AD9BB62326F1BAA063,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000166991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:41.990{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55284-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000269303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.778{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.775{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.504{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(00000000011234C4)|UNKNOWN(00000000011233F4)|UNKNOWN(00000000011233CB)|UNKNOWN(0000000000E9D11C)|UNKNOWN(0000000001140E76)|UNKNOWN(000000000981FA09)|UNKNOWN(000000000981F9D5)|UNKNOWN(000000000947AA1C)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 10341000x8000000000000000269300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.371{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.365{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.358{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.354{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.345{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.340{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.338{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.334{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.327{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.299{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.272{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.268{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.257{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.242{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.234{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.224{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.210{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.198{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.183{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.104{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.100{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 23542300x8000000000000000269279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:45.074{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E3C19ECD2A0AD13EFC1F0E60FA0092,SHA256=4E079798ABA9D5981E4DF844758345FADEAA8255C84A7A4E2CB88EC3B7F783D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:46.709{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86DB3AD14F1BAE0D9EB2502FC924AACC,SHA256=5430E9F464E6B3CD2EDC36FB6388913437C36598767EDE6B903966C3342F9CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:46.092{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13B123CCB74B10E0EA7D37D181DD2FB,SHA256=4D4F8C0B29088D1D70CEB161BD1471C7A0FA28EC9873F43B47D6AC0C9E74B024,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.914{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FDA58E6314C75FA3FBB744B25C72F9F4,SHA256=020B3AF7A8D7AD8B785335BCD561B6254C7F8150152674948BCFF874A04BD806,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.850{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E97-6323-5A0F-000000007502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.850{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E97-6323-5A0F-000000007502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.850{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E97-6323-5A0F-000000007502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.850{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E97-6323-5A0F-000000007502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.849{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E97-6323-5A0F-000000007502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.849{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E97-6323-5A0F-000000007502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 23542300x8000000000000000167003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.815{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA887BFA64D22CE1E49F8CA51DF127E3,SHA256=CC48E4BCA2F423C6F8945E078C6B71CD7CEA93E31B30C676EE56DC2152C13B16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.794{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E97-6323-5A0F-000000007502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.794{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.794{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.794{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.794{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.794{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-3E97-6323-5A0F-000000007502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.794{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E97-6323-5A0F-000000007502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.795{E743DC12-3E97-6323-5A0F-000000007502}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000269316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:47.790{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:47.788{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:47.783{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:47.781{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 734700x8000000000000000269312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:47.730{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000269311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:47.729{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000269310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:47.727{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000269309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:47.725{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000269308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:47.724{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000269307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:47.724{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000269306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:47.722{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000269305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:47.396{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B137C72EDA077B4DF01548012129D318,SHA256=49FA5CF988601D80B54150A46ABE2542517DADAAB17EE5AE4F0554554A9C3CCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:47.371{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-437MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:48.874{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2987E6985CAB52ECE813B8869F9432,SHA256=F39D7AD7E7CF369EB43A21FD075772A5649B1267049A119C7415696807C2C956,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.639{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.636{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.632{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.631{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.609{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.605{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.602{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.594{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.591{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.588{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.584{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.576{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.572{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.567{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.564{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.563{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.563{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.561{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.545{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.543{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.541{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.537{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.527{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.523{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.518{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.515{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.512{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.510{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.510{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 23542300x8000000000000000269337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.509{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1444C07E747AD24F651BDB6EA1BDD8A5,SHA256=54D9DF20CC41309F3D5AB7360A593CBA7E65F97C24C56B11F06229DEF3AA615E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000269336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.507{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.504{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.496{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.494{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.471{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.469{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000167020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:48.647{E743DC12-3E98-6323-5B0F-000000007502}4928296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:48.474{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E98-6323-5B0F-000000007502}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:48.474{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:48.474{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:48.474{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:48.474{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:48.473{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-3E98-6323-5B0F-000000007502}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:48.473{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E98-6323-5B0F-000000007502}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:48.472{E743DC12-3E98-6323-5B0F-000000007502}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:48.371{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-438MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.439{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.427{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.364{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.356{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.337{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.321{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.319{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.308{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.302{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.300{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.299{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.295{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.294{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 10341000x8000000000000000269317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:48.292{6820D070-DD11-6322-8606-000000007402}52805352C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038F10) 23542300x8000000000000000167042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.974{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574CD2F4628398BC738BD89F7C1994A0,SHA256=9529FB344878F914E08696BC2FCA3B79781B755EB017465097C3725E6A873504,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.906{E743DC12-3E99-6323-5D0F-000000007502}60002704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000269368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:49.672{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02221D2FD5EFA74C01BE08C61562E6E,SHA256=56645BB7BEB5B3DBA94E6736B574944A0B3600FE638F1F78EA60CE429DDFE719,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.717{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E99-6323-5D0F-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.717{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.717{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.717{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.717{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.717{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-3E99-6323-5D0F-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.717{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E99-6323-5D0F-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.718{E743DC12-3E99-6323-5D0F-000000007502}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000167032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.217{E743DC12-3E99-6323-5C0F-000000007502}42842068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.078{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=12F083C0BFC745C72F916EB1D4976A7F,SHA256=2FC4069D9F1B3D5248C6A8478754D34D15BE77D87C8B798E06D447BDF20DA203,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.040{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E99-6323-5C0F-000000007502}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.038{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.038{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.037{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.037{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.037{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-3E99-6323-5C0F-000000007502}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.037{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E99-6323-5C0F-000000007502}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.035{E743DC12-3E99-6323-5C0F-000000007502}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:49.034{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9E4508B9DB236503189799E56E367E0,SHA256=4FB307A1EE70813C56E0D335835E40B9EF57943F0B55B76EF8200B6EB89BD4BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000269367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:47.565{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65388-false10.0.1.12-8000- 23542300x8000000000000000167052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:50.954{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BAA2A551B7659D8A3FDF42255EBC34,SHA256=3B4A717CD5C8D8CD6DCEF7F06C37EFB0B5466F468D610CBC80907CBDE6D2A02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:50.831{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9603062D7CFCD00C527491EBE358F08C,SHA256=BA80210F2B0A4077D19645B15E5EB352B24AF61E2CDBB17906F11D6DC5674BD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:50.417{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E9A-6323-5E0F-000000007502}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:50.417{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:50.417{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:50.417{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:50.417{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:50.417{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3E9A-6323-5E0F-000000007502}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:50.417{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E9A-6323-5E0F-000000007502}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:50.418{E743DC12-3E9A-6323-5E0F-000000007502}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000167043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:46.996{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55285-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000269370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:51.937{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9B46C2847580748E754AE650195117,SHA256=7A3952E9269ABF8773D9EA96A027B7BD7EDE02A16DFCA8F7D8031106ADF7BA86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.975{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE5034087B020AEC13717B109C0EF1E,SHA256=D03A39731169E63939C63A7AE5FB81A02491A9FAEF7A334026B739FAD53C1433,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.793{E743DC12-3E9B-6323-600F-000000007502}43003980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.635{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E9B-6323-600F-000000007502}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.635{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.635{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.635{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.635{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.635{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-3E9B-6323-600F-000000007502}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.635{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E9B-6323-600F-000000007502}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.636{E743DC12-3E9B-6323-600F-000000007502}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.293{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C879A549CE715C7374EF40804AF62AE2,SHA256=88E6AF46D923878C728C3B00DD5275A45F2BF78E6087297432C2B9ED220D1818,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.093{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E9B-6323-5F0F-000000007502}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.093{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.093{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.093{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.093{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-3E9B-6323-5F0F-000000007502}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.093{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.093{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E9B-6323-5F0F-000000007502}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:51.094{E743DC12-3E9B-6323-5F0F-000000007502}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000269372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:53.964{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7F5A5918A2A060D04B2A9A9DCD9230A8,SHA256=695176F2970BAC10CE5F69D3EF6B76B5061B3E82967A3AE44BD93C6F44C62AE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:53.044{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C812E6D5ECD8777D71C1814CA5A246,SHA256=6DECB48DD98792192B22A165A3A00CFAF2AB1C8C70DECBF473843692909B8612,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:53.071{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C266CD92209ADFCF201445A492B9E8,SHA256=7DFF11C6BEBB5F0E84C4C82C0A9A2036027CE5B7585FC7FAC64DDDB029EEE6DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:54.169{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F10AC707298F46864B5FEBE5C88406,SHA256=4446C8BB2D117C3CA8C0EDAADB35809B54940AAFC32B58A526424CB8CF597E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:54.150{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA929AED90C737150FCF09A0B072B364,SHA256=B68ACE4CFDD5AD2E9EBD9BC1A9B58BFD947768FA534AC63F488CB531C457AAA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:55.717{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\26608MD5=0422C478331792112898F03820D4C03F,SHA256=617087ACE7B512840B00950E52A61821BB5AC539AB725915CD9CA243DE41C320,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000269375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:53.526{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65389-false10.0.1.12-8000- 23542300x8000000000000000269374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:55.256{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66C56BFC36E1E09874E2A97AF0088E5,SHA256=BC6F8250E8853D058B15827C1BD1B42806397DB7A7CC326B693A80B01AA8FA66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:52.916{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55286-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:55.295{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C58A96A0494AB34092949D94A38500,SHA256=A868F19451D2301E535654A4F4CEE56E6EA919968ED60C7E6DE9AC749FB92616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:56.363{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D709D4CBAA352116F5235DCBC132EC,SHA256=208A64D82E2DACD9C26F3213C9CA4BC5FBA7B47C62AB73657FE8DC717314BC51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:56.322{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD0E3D897F1C35D3168C1A2ADF7CA57,SHA256=6A86C559B21D8C38717E0CBEAF411D9F9459DFAFA2896CEE96288EB7E5BD6BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:57.368{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC040305BAE7D438AD0E00E364316976,SHA256=0A80F218F733C65DA52575E7D6DD5AE73E26FF3523B6A8A7903787F57FCFCC92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:57.985{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:57.976{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:57.967{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:57.959{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:57.956{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000167077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:57.438{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FCD8A731EC965E93EE2E5F2C39B11D,SHA256=EC0CDB6226369054FAC93336851BEBF9A3B35D6F13942B9C41E68B385D319B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.698{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A318217D74E084B2615B2E13F945B1,SHA256=1BC373E608FEA13B70F4503EBA195610C567D36EF8FE7744CF1BFD9E506C1482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.698{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E896F2C62B821E097135159E86DD451D,SHA256=BC1A915ACE63A5A60FC0C1235A341F6A0FA795ED937235D9921EC86A1D3C572B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:58.474{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529DFB5605BC3435E4A22FE2787A1B5D,SHA256=D69AFCB870EC11365C61A904E09A85612B8C41A03AFD9E2AAA67EABAAA7797C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.326{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.324{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.321{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.318{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.317{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.305{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.304{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.304{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.301{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.296{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.293{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.291{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.283{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.282{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.262{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.235{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.216{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.172{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.160{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.148{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.141{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.138{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.136{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.130{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.129{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.126{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.123{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.121{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.118{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.116{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.115{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.113{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.106{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.103{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.100{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.093{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.091{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.078{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.069{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.046{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.040{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.032{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.024{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:58.009{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000167083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:57.997{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000167130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:59.799{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635791678367D9E7158721743BEE1BF8,SHA256=323F53254DD54BC8CED1198354B53EC8ED41A9C06E39DC496B39664B1DEF0755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:59.579{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF32DDF036D849808BCF43720A60FCA,SHA256=04B3AFC1041029BDF8F5194424B33E2EE4CFD8CBF833DBB71CF6489E9DDA1EC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:00.685{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8018B3F3743EF00BE5B2AD6C8F60F573,SHA256=ECA6AA11D3F18C089A965A35453221FC7B7A13AA33A371E99E2EDC05FBD20201,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:00.910{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FF1686352442AD951F4874CE95EA8F,SHA256=9D78F0DB38BCA2CCEE79F7B6DF841E4C9ECA40C1720A1A807E73D0B5C5B5794B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000167131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:57.958{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55287-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000269383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:01.993{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79F769D253A1637782FDA7D429778DC,SHA256=2071C7BBDCBE8F65EECA6BBE5560B13F15D36148BE571BBE3D4CE11C40A37305,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:01.928{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE6A46B835EA58AC97F19361FC4C1E9,SHA256=0389533390E51B0C29F75CFB345C0202176A52338DDBF6B083C6208062EB37FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000269382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:58.708{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65390-false10.0.1.12-8000- 23542300x8000000000000000167134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:02.956{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8F5BCE69C9C566005401640FE59220,SHA256=8EB47E5FCFEEA6850D697C35424BFE237B48058556BB3F67E61C6A71B456877B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:03.977{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0BDFB8F99EB455675503E5F340AE07,SHA256=A5A9F997DB7644ED65EFB2938EF6ACEB64DEC0BD87A12991D2B56B37EB7FC23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:03.300{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2122BC04FA3B293FB219F08889E7A874,SHA256=5E98B422E8AB6DB66ED3234FBAB3F2906C755B0106AD5A59F798C86513DE6E85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:04.448{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26A57DE086F66AFF6832CD43C718C3E8,SHA256=8C52A8A62210A85DBDE78968D21E75904C05E62A67B06EA6721551DAAC12F935,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:04.403{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C87298A10FF2C4997908C7BFA6D8B9,SHA256=85899699E4378F1EF5A8C1D3E6EC3A723F2C47DEE8D2559B7CBB72D10032338E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000269412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.704{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.703{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000269410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.515{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76F7EFD6C71F7E91E743E49A970C8BC,SHA256=315F5794B1686154C4FAA3170653E02ACB6E2181A3399A807EC80EA965CB7022,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:02.977{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55288-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:05.103{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524C408E93C42AD895BBFDA8FF60D8FF,SHA256=2D1DF4A34ECA6CE619ACD8D935780B0126A004A91C49CE8E56F8EB68A59BE55A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000269409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:02.711{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65391-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000269408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:02.711{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65391-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 10341000x8000000000000000269407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.285{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.275{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.267{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.263{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.255{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.252{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.250{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.247{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.239{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.203{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.181{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.177{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.170{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.162{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.155{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.144{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.137{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.128{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.120{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.068{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:05.066{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000269414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:06.621{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFBAADB9225D340241B3C5843FEA630,SHA256=4B7B03282168FAF7C86111963DFC333358032E23BE7AA60E5D9885FD881187DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:06.230{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C5EEA6B5B58C2563278F6E2A675604,SHA256=2ACE06D82CC176E27F9710F461D32D3A2C28BE19FDA8583ECFC44EC6507F4C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:06.029{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-447MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:07.726{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96E3B1C8568D2A71C53F31FC20C021B,SHA256=01AF158B928A0C8722FE088FF2AD325438C97F149BDAD7599297C56DFB14E3FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000269420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:07.719{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:07.718{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:07.710{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:07.708{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000167139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:07.251{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA03DE007FAC6D5BB72F931ED603C716,SHA256=606461CE158A8E9BFC856AE3CEBB4148564000E855862F0CC5B592537499413A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000269416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:04.562{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65392-false10.0.1.12-8000- 23542300x8000000000000000269415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:07.028{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-448MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:08.284{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2A17F2EE7779295136DFAAB48605D3,SHA256=D2DE0711CB752C6F565150620E5593D8ADC7FFBAB3F2FECEA04C4798B5F57125,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.512{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.510{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.506{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.505{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.484{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.482{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.480{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.476{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.474{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.472{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.468{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.459{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.457{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.453{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.450{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.449{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.449{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.448{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.434{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.433{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.431{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.429{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.419{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.418{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.415{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.412{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.409{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.408{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.407{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.405{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.402{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.392{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.390{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.355{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.354{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.335{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.325{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.281{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.273{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.249{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.244{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.242{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.239{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.236{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.232{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.231{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.227{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.226{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000269422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:08.224{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000167141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:09.321{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20539690EE93A7DBFA3F15FE807DD511,SHA256=B2E8B28B165CF2E425A96B4AFBB0FF9CF46EE192F8726859BB6E3201B5EE4979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:09.033{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C652E7C10D0463F1EE4148DA0BB7699,SHA256=15A88931DA917C73E10286C46F6FAFCB372B3694D652E87ABC09A7CFDF252B5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:09.031{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A25DFF089D88E7961D6D56BD98730C4,SHA256=D9E95E0A90647F4502B911ABFB32BBECAC83DF360CFCF590CEE361CE62661103,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:10.390{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DC17D043FFEE1A88C94C0A03E6EBB3,SHA256=57CCD9C9AA575F93DBDDB1D1EFFF8D4A28C30A6655060725E687E3BAF532CD9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:10.038{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93F52A2A4E6A864F5DC778EF532AD58,SHA256=2445248E76D8040ED654FCA258C6420BEDBE4D7EF1FD699BD1A9B53694BD41F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:11.512{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC202EE1A82A6109E7BC03A06DE4930,SHA256=6C2D983FA1E2347E4FA57F8AE51DD1F7D15148AC038A9D8D85157B59663597BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000269475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:09.605{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65393-false10.0.1.12-8000- 23542300x8000000000000000269474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:11.143{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC55D3236F8EC03F5E166135BFD6D5B,SHA256=A0B461B6D11BD4BED17CD2FAF53072CC34440F94EF5E92F8DCE32EBAC3D601FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:11.285{E743DC12-D550-6322-0D00-000000007502}7843528C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:12.539{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CADAA00E4240726E1CF6AF2BD49F66,SHA256=5BD7F8D7FB38C54EE7F7E68BB3F731B08DC36F255D31A8B6098610EDB32DEB24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:12.449{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847DB8759A284E14E8B1FBB7ADAF4EBE,SHA256=F2CEC26AD900898C30E482451AB4C7BEF36F7C99DC6EC279A1A15DDC0B22EC98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:09.018{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55289-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000269477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:12.212{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:12.212{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:13.571{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E4D66B1C3EB9D79C31315DC94484D3,SHA256=5758BE80952F05235BC095C36537321895EA021F1616A395FB8A44C1F71A752A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:13.454{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108B294A019AC11387D3DC9D7E22907B,SHA256=79446F0F0550DBB70DC2D64622344A35ACF5455DA5A294F42B51EF9175F03807,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:14.673{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A126014107FE97C304A1005E39C75C2,SHA256=191809F546959DA9A4E3365DD5213D2D4214ADC0476670375E03654CE2D55547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:14.560{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0192211AB4D60DC66C2F26DD32DCDA,SHA256=8BF14488622F9169F58A1B7AA042E5D5F240C0FE8DFE5F8E2512EF4838E2330B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000269481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:14.439{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:14.439{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:15.816{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9682D218C8CAF98790B742C4E85075,SHA256=FCDA068ABBA897F698BB0DF562D12CF0B7686D07286E03822EC2241B348ACC95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:15.565{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741FD485C0802DBBD627C0D9227464E3,SHA256=250F27165151292553BEB99078BEF795C54B9E277F71EC6D6BF33CA55399CB2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:16.858{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E57C698FCD83AD91AA349BAAFE3E2ED,SHA256=E9EAFD83B41B16795F8BC82B4794E568A8D5CAA23898576C53050B263C273DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:16.771{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FCAACA170A8D0D37BB836A92A3AB35,SHA256=76460B43DE56BACA7F56315E0AAF114722558B75111175DC22C64489315BBEA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000269485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:16.007{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:16.007{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000269489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:17.917{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:17.875{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FA24057FDA248C857529D1FE47B5D2,SHA256=D4408CB450203765AB0559093BF9A8CCADE5F4880702E1BA160CEC884404DF4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:17.995{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:17.986{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:17.973{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:17.971{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000167151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:17.963{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681B1B187A7E32F4CEA97D3CE5DCAF53,SHA256=DB6CB15EB2802EDED95C73390920E2251FA0C079EC50D47D81AC493917E330B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000269487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:14.659{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65394-false10.0.1.12-8000- 734700x8000000000000000269588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.894{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000269587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.893{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000269586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.892{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000269585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.891{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000269584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.889{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000269583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.889{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000269582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.888{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000269581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.888{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 23542300x8000000000000000167203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.418{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CD0F7FBEF1C65ABF7E737D858337A3,SHA256=3264E99DFC5168CB3EAC9618DBA4B596603A2B2462D352A4470EBDB504F10547,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.275{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 734700x8000000000000000269580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.879{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000269579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.878{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000269578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.878{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000269577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.876{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000269576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.876{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000269575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.875{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000269574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.875{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.875{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000269572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.875{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000269571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.874{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000269570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.874{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000269569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.874{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000269568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.874{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000269567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.874{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000269566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.873{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000269565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.873{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000269564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.873{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000269563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.873{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000269562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.873{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000269561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.873{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000269560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.873{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000269559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.872{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000269558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.872{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000269557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.872{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000269556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.872{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000269555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.872{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000269554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.871{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000269553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.871{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000269552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.870{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.868{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000269550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.868{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000269549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.868{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.867{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000269547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.866{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.866{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.866{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.866{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.865{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000269542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.865{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000269541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.864{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000269540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.390{6820D070-3EB6-6323-3E18-000000007402}20042220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.389{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000269538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.389{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000269537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.212{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000269536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.209{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000269535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.209{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000269534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.208{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000269533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.206{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000269532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.206{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000269531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.205{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000269530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.205{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000269529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.204{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000269528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.198{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000269527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.198{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000269526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.198{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000269525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.197{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000269524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.197{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000269523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.197{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000269522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.197{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000269521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.196{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000269520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.196{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000269519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.196{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000269518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.196{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000269517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.196{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000269516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.196{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000269515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.196{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000269514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.196{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000269513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.193{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000269512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.193{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000269511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.193{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000269510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.192{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000269509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.192{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000269508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.192{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000269507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.192{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000269506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.191{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000269505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.191{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000269504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.191{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000269503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.191{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.190{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000269501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.189{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.189{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000269499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.189{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000269498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.188{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.188{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000269496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.188{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.188{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.187{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.187{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.187{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000269491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.187{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000269490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:18.184{6820D070-3EB6-6323-3E18-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000167201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.272{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.270{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.267{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.265{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.255{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.254{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.253{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.251{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.248{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.246{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.243{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.236{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.234{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.218{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.206{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.197{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.174{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.168{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.159{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.151{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.149{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.145{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.143{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.142{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.138{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.126{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.121{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.119{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.118{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.116{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.114{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.110{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.107{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.104{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.098{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.097{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.084{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.076{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.053{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.048{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 354300x8000000000000000167161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:14.991{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55290-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000167160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.040{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.031{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.016{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.010{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000167156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:18.004{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000167204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:19.069{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF29B692E28688312FD6C14D1EDA64A,SHA256=E9EACA514892120F0AE62D56182E56102799C339A868FA3CB91D796579578B47,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000269646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.726{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000269645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.725{6820D070-3EB7-6323-4018-000000007402}68447668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.725{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000269643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.724{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000269642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.556{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000269641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.556{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000269640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.555{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000269639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.554{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000269638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.553{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000269637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.552{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000269636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.552{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000269635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.551{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000269634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.544{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000269633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.544{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000269632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.544{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000269631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.543{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000269630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.543{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000269629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.543{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000269628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.543{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000269627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.542{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000269626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.542{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000269625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.542{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.542{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000269623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.542{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000269622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.542{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000269621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.542{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000269620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.542{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000269619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.541{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000269618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.541{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000269617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.541{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000269616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.541{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000269615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.541{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000269614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.541{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000269613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.541{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000269612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.541{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000269611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.541{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000269610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.541{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000269609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.541{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000269608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.540{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000269607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.539{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.539{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000269605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.538{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000269604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.538{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.538{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000269602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.537{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.537{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.537{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.537{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.537{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000269597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.536{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000269596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.535{6820D070-3EB7-6323-4018-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000269595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:17.373{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65395-false10.0.1.12-8089- 23542300x8000000000000000269594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.257{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD368721D46EDEC15A6093353C2BDC2F,SHA256=D023FFF4DE6CDF69F9A32B4506860F1B946C7977E6A86B1130D1275B35285835,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.254{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCB44167EB72DC720F3E324DCEED4901,SHA256=5ABC209FFC6C62C4A02B12F02F62F0DD4042AD272D81663C21AEA4F264664167,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.200{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=080160BE8A50AFAABB9592C063060326,SHA256=E99B3EC33393A902CF549951E2256ECE8A70C94B00C603795D143F24F312113A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000269591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.113{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000269590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.111{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000269589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:19.111{6820D070-3EB6-6323-3F18-000000007402}8000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000167209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:20.367{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:20.367{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:20.367{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:20.351{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:20.161{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BEB88432F5572FB4976ED67FE2FE3D,SHA256=9D278C70B5B88E4F2D5588414C91CF63555DC7DA3C501D050F6472FF4ED7AEDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.969{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000269759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.969{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000269758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.969{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000269757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.969{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000269756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.967{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000269755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.967{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 23542300x8000000000000000269754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.939{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D787CBCFB10DCB9B4387A5DA7329CD4B,SHA256=64C328BE28181D73F8220DF4058A9AD97C56236664B8058E673955E50595923E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000269753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.827{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000269752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.826{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000269751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.826{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000269750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.825{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000269749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.823{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000269748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.823{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000269747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.822{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000269746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.815{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000269745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.815{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000269744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.815{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000269743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.815{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000269742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.815{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000269741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.814{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000269740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.814{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000269739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.814{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000269738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.814{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000269737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.813{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000269736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.813{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000269735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.813{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000269734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.813{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000269733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.813{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000269732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.813{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000269731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.813{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000269730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.813{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000269729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.813{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000269728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.813{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000269727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.812{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000269726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.812{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000269725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.812{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000269724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.812{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000269723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.811{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000269722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.811{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000269721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.811{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000269720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.810{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000269719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.810{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.810{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000269717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.809{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.809{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000269715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.808{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000269714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.808{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.808{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000269712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.807{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.807{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.807{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.807{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.807{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000269707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.806{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000269706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.805{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000269705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.677{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.677{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.408{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000269702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.405{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000269701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.404{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000269700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.286{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BE269984A1BD6CFA0094BBDD1B416D,SHA256=3CF4D532A9CDDBA14B90871ECFFD28AEE7DFD01768D6C5CD5E6C169078C72847,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.279{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885B82C051E1EC4170BF10CC1195724C,SHA256=23AA374E08950EBDDC44692883BDD9CD4E4FBED68BFF1323AF6C2EE81C239E94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000269698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.228{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000269697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.227{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000269696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.227{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000269695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.226{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000269694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.224{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000269693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.224{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000269692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.224{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000269691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.223{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000269690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.217{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000269689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.216{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000269688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.216{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000269687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.215{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000269686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.215{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000269685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.214{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000269684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.214{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000269683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.212{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000269682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.212{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000269681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.212{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000269680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.211{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000269679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.211{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000269678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.211{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000269677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.211{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000269676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.211{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000269675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.211{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000269674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.211{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000269673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.211{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000269672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.210{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000269671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.210{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000269670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.210{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.210{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000269668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.209{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000269667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.209{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000269666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.209{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000269665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.209{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000269664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.209{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000269663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.209{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000269662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.208{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000269661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.208{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000269660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.208{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000269659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.208{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000269658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.207{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.206{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000269656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.206{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000269655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.205{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.204{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000269653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.204{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.203{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.203{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.203{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.203{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000269648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.203{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000269647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.201{6820D070-3EB8-6323-4118-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000269818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.768{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000269817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.768{6820D070-3EB9-6323-4318-000000007402}67928012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.761{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000269815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.760{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000269814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.603{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000269813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.602{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000269812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.601{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000269811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.600{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000269810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.598{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000269809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.598{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000269808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.598{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000269807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.597{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000269806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.590{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000269805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.589{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000269804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.589{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000269803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.589{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000269802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.589{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000269801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.588{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000269800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.588{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000269799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.588{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.588{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000269797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.588{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000269796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.588{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000269795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.587{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000269794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.587{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000269793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.587{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000269792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.587{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000269791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.587{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000269790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.587{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000269789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.587{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000269788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.587{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000269787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.587{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 23542300x8000000000000000269786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.587{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F448FAF40B1328F65B80D438D56241,SHA256=0CA82DF8F3F660A85E4861A0951997E9B2A85915021A13E37CF4A56A51F7416A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000269785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.586{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000269784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.586{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000269783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.586{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000269782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.586{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000269781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.586{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000269780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.586{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000269779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.585{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000269778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.585{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000269777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.584{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.583{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000269775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.583{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000269774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.582{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000269773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.582{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.582{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000269771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.582{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.582{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.581{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.581{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000269767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.581{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000269766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.580{6820D070-3EB9-6323-4318-000000007402}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000269765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.240{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.240{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:21.346{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8F19022A0A1F50F4F7BF055918B6F038,SHA256=154BF6611D51433ED269FF02AA5C96931FE506973169B2D8898EDAC6C54628EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:21.246{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5199E4BCCBC675B9EFB31092413346D1,SHA256=EEBDE4A98FE23A92D97DD27B741503B6937DD511A15690E147676F570D6B4C63,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000269763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.099{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000269762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.097{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000269761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:21.096{6820D070-3EB8-6323-4218-000000007402}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000167213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:22.402{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:22.325{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11720A289E5C9CD9FFB80368937968DB,SHA256=2E25EA53BD8388C9544DA746C94FA2CB55D0866052FF13128B260081ECB0EFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.870{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAED0446C49D19447CD10E6D57F741F7,SHA256=D3F7B5A07044F3C1F24E7157F8AFD55EAF12BC669279FEF148C5E24A8A8CAF3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000269870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.446{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000269869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.445{6820D070-3EBA-6323-4418-000000007402}73287892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.445{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000269867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.444{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000269866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:20.481{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65396-false10.0.1.12-8000- 734700x8000000000000000269865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.271{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000269864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.271{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000269863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.270{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000269862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.270{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000269861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.268{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000269860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.268{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000269859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.267{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000269858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.267{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000269857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.259{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000269856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.258{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000269855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.258{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000269854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.258{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000269853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.257{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000269852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.257{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000269851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.257{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.256{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000269849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.256{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000269848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.256{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000269847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.256{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000269846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.256{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000269845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.256{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000269844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.255{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000269843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.255{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000269842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.255{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000269841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.255{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000269840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.255{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000269839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.255{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000269838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.254{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000269837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.254{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000269836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.254{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000269835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.254{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000269834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.254{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000269833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.254{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000269832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.254{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000269831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.253{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000269830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.253{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000269829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.250{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000269828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.250{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000269827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.249{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000269826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.249{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000269825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.248{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.248{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.247{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.247{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.247{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000269820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.247{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000269819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:22.246{6820D070-3EBA-6323-4418-000000007402}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:23.356{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE6C232D874CF8593C1593156F3149C,SHA256=BD288230653BACDB815CF04F016802CB9CA4D0AB04C46125846187949B05C6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:23.382{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956CBC800127B3E543F1F3DBEB527937,SHA256=B6C96739BD3248FD3676FCC0DD6B597F972617E64D33A3C143FB0BA614470C58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:20.094{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55291-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000269872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:23.162{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=82852CAFFAE78247B1E0B97431C5B253,SHA256=F64D75B387873E89F173004EE0D3B5C21CC1C3734F9269544D7D25E6CFFC2DE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:24.393{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2635D695EAFE0674F54D432F7DA2CF3A,SHA256=98E143FAB68AF769A365D66E8883367C385339752ADCFAA3ED7AFA49652EBAD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:24.486{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C963AFF26AE225E56C59A9B12ADB1252,SHA256=9B8B480B1D88F26EEE9726D9E11CE69513B07867DD3836BDB9964D3924AD03A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.694{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.689{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000269896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.506{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF1324FE988FBE9081CED997789797F,SHA256=7B2C0E05D888AE51170ED5E86C1DA956B2A621DBF53C69410DE2890147B6A445,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:25.573{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A48A460C2674B72C7E9AF1F6554FF8F,SHA256=DF85668AFFDFECB0B212F23973D7AFAFBC550EEFDFD66D3DAD866B0E888C86CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.287{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.281{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.274{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.271{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.264{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.261{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.259{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.254{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.251{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.222{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.206{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.201{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.193{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.184{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.175{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.161{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.148{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.135{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.126{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.070{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.066{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 354300x8000000000000000167217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:21.231{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55292-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000269899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:26.516{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7333368012828894001907CB590F97,SHA256=FE23F2B89F49E27349F91F595E28E4B7A233C9E5DB1F0C332F2757359464AEFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:26.689{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7B8752C8DA1E50FB00C83B4D67B6C3,SHA256=3A67025414EF15E1E12D7887AD15C7A7DE850EA610C9D57D9489003C3D3B8F38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:27.711{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:27.708{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:27.700{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:27.697{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000269900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:27.520{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9A5237C7F42AF54162EBB4A0FAA8FC,SHA256=C740156121A3A26DEA6E9E473FB54035AD59237A16EE3C906059F55A9C334529,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:27.807{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B1B5C7758FA6EA589A5159845E7236,SHA256=324BEA6700CECE526469669C407A154E3DD388403CED4B6E188A99C2C3C8469C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.983{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211BB096F8704844330FB97CE4010178,SHA256=D713852E4AEAED4339FE3993D2D7978386729C6A1404F48C87226BDFBEE85F97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:28.908{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4476D067304618B78EAFB53CE41D13AB,SHA256=11972EB23E182716F0E63339F9E24B696736F355E5967D8DF97E8B8ACC175067,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.519{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.516{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.512{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.510{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.489{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.487{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.484{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.482{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.479{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.477{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.474{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.470{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.467{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.463{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.460{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.459{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.459{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.457{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 354300x8000000000000000269936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:25.706{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65397-false10.0.1.12-8000- 10341000x8000000000000000269935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.443{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.442{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.440{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.438{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.426{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.422{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.414{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.404{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.399{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.398{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.397{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.392{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.382{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.375{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.373{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.321{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.319{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.304{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.295{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.257{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.249{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.238{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.233{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.232{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.229{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.225{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.223{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.222{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.218{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.217{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:28.215{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:29.055{6820D070-D2F0-6322-1500-000000007402}12524164C:\Windows\system32\svchost.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:29.055{6820D070-D2F0-6322-1500-000000007402}12524164C:\Windows\system32\svchost.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000167222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:26.007{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55293-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000269958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:30.049{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35C98178C48C51D0A2F65F8B28178E7,SHA256=F2280832F78638BA272E02516890972564434A54B12C68EC27707E13DCA89678,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:30.010{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD031ADFB72AD1DFF3D4AFDE077FE1C5,SHA256=D236B71FFF5FE5C7B1A1223F7AFD913E2D4DAF0364C111BD9411EA37E47AD659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:31.322{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AFE896C583E5C4B297197E16DD292759,SHA256=7467D0787BE63961C72549A563BBF79409A5AE20B9161954F70850D5DF62129E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:31.052{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543DBCAC31EB5923C3953ECBC87863EB,SHA256=A8234631F5B6E9A1EF68F0835B866321A1183D42A1437994FF7A6092E4A4424A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:31.092{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4814AC9EEE168DF1C3B3FFDA9623C8,SHA256=AA670902574AA681AF890B9497996BD4630700CE0F5FF386EA7107B163AA0742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:32.356{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B41D2D0B9B3804369F58FDB7FC3CE9,SHA256=9E9BDA408F18DD93B72ED28CFBBF3280062F389D9773D4150083A4CE862565BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:32.112{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70327820EEE3778DA348FA21D51829CC,SHA256=ADDDDAF64203C12611A7C4B491AC8627CB3543267D15672AA301E9D1C851F49D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:33.800{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:33.799{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000269965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:31.525{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65398-false10.0.1.12-8000- 23542300x8000000000000000269964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:33.362{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18726F6154F29FD6D51933EE7010D0CF,SHA256=E76E514EF238C7961A506584C480C95A6D8A83EF805AED52DA1776A19205992E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:33.237{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ADAEDDCC8AF9095F14B04CA935894C8,SHA256=5E0C68615D2A7D4FCE407FB1FACC581CDA3CCD054E5DB752348C977783C0B4DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:33.195{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:33.195{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:34.239{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A8AE6F30FDDFC26B8D5196B881D69F4,SHA256=084FEC230237DB62CBE73692661A1270B988B56013CA105BDD2B5264B9BF6BC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:34.510{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:34.510{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000269968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:34.469{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09EC8ED643711F89FA821C06135300E,SHA256=A33EF916B8DB26CF6B9651A872256483EB2E902F6A4A0E45AFCCAC02338115B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:31.085{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55294-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000269971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:35.574{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BA40AFACF444F969F2746198F4C78C,SHA256=B79C84950D9D2BFD8A2C3EAF3805A769B93697ABCE08BDD4BCDC715F2263BAD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:35.866{E743DC12-D550-6322-0D00-000000007502}7843528C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:35.366{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18110CB409F7D7049BA2391FDD5F9CE3,SHA256=FC95146360AD4EB58D363BACCD63F28E7718D45D86C25570B891080E28E8D4B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:36.755{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000269974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:36.754{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000269973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:36.754{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1a55719.TMPMD5=AE83E3D1BED7E22F099EC37882555B7F,SHA256=19C20C1DAA5B1C1F7E9A0561569A10ABB7DBF1B544D26F74C2B5990D9C688508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:36.679{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D9A9C969C19EF817C3C6ECBDC57033,SHA256=A460FACEF019F886593014A06E3059DFF59516480DD859D9D7A759FD55FAFF5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:36.441{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474A4B0253C084BE329C6B815405D982,SHA256=C3568DFF9116956F32E016733D757EC3376012167FE505D200E7932A2B5C70FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:37.727{6820D070-D2F0-6322-0D00-000000007402}908652C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:37.727{6820D070-D2F0-6322-0D00-000000007402}908652C:\Windows\system32\svchost.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000269976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:37.683{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F119C50E1E5B0200ACAE70B1B5A2F834,SHA256=83543B9AD53A09BA5A8DF869B887AA9E242E5F64B3D6B220791323AEE7487313,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:37.999{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:37.992{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:37.984{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:37.974{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:37.966{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:37.959{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:37.955{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 23542300x8000000000000000167246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:37.467{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B034EF0BC709A4879684342FC9251363,SHA256=10756525B8EE3A9078BECB38A1F8A62F912CB994D5F97E4D5B50B8406153FA38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:37.182{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:37.182{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000167243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:03:37.182{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a9901668-d071-423d-9a3d-c8cc61f86235}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000167242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:03:37.182{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a9901668-d071-423d-9a3d-c8cc61f86235}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000167241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:03:37.182{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a9901668-d071-423d-9a3d-c8cc61f86235}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000167240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:03:37.182{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a9901668-d071-423d-9a3d-c8cc61f86235}\LeaseTerminatesTimeDWORD (0x63234cd9) 13241300x8000000000000000167239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:03:37.182{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a9901668-d071-423d-9a3d-c8cc61f86235}\T2DWORD (0x63234b17) 13241300x8000000000000000167238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:03:37.182{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a9901668-d071-423d-9a3d-c8cc61f86235}\T1DWORD (0x632345d1) 13241300x8000000000000000167237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:03:37.182{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a9901668-d071-423d-9a3d-c8cc61f86235}\LeaseObtainedTimeDWORD (0x63233ec9) 13241300x8000000000000000167236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:03:37.182{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a9901668-d071-423d-9a3d-c8cc61f86235}\LeaseDWORD (0x00000e10) 13241300x8000000000000000167235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:03:37.182{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a9901668-d071-423d-9a3d-c8cc61f86235}\DhcpServer10.0.1.1 13241300x8000000000000000167234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:03:37.182{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a9901668-d071-423d-9a3d-c8cc61f86235}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000167233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:03:37.182{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a9901668-d071-423d-9a3d-c8cc61f86235}\DhcpIPAddress10.0.1.15 13241300x8000000000000000167232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:03:37.182{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a9901668-d071-423d-9a3d-c8cc61f86235}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000167298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.541{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60EC542D75271916E5B16920BB428C9,SHA256=8FB0279F7E329C9369CE882E9727F42C807848A5EC23B1B1A575BEE3781B2AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.498{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48BAE5E539C66FFA2F57D36406DF824,SHA256=6A1B32CBB54BB170795FA48932D3D1F01FAFA28A7644871A27D5CB237D7C7A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:38.788{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF59222815EAECA50AA1053CF5E46CCF,SHA256=1AC1750AA5DA9043936B5E14669300DF64823912B053E974175592197FC9490D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.304{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.302{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.300{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.297{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.296{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.284{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.283{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.283{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.280{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.278{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.275{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.272{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.265{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.264{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.247{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.232{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.224{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.192{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.184{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.171{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.166{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.164{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.161{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.158{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.156{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.152{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.149{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.147{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.143{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.139{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.137{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.120{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.108{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.106{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.102{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.091{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.089{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.075{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.062{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.034{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.028{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.021{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:38.013{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 23542300x8000000000000000167300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:39.674{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75EE80D4BFC4887F6A98228B11AF11A4,SHA256=1EC0DC1EF9EFC4057C26E8BB489543350E027A40B83202445A338D71C099D031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:39.894{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2699DE3AA335A8755EC00EDEEE51DD,SHA256=82DF56E70607634C71B82CA326398DF9C50949189E89679AC8A466A70809364F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:36.031{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 354300x8000000000000000269980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:36.602{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65399-false10.0.1.12-8000- 23542300x8000000000000000167305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:40.793{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D069E9713D47EA19679CCEE638FED770,SHA256=3E9CA5950155E7872118B1D5AAB491D5D04B20CB289C02A56F6F74CA5797020B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:40.215{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E39D57D3558029E33187B8897F7366D9,SHA256=E17750342B5E6AE189C0AADDB3C65AB3EA33D035C94D17D561FDB90086D30C5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000167303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:37.062{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55295-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000167302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:36.040{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:5861:e280:87a6:ffff-58161-truee000:fc:7f00:4220:3801:4908:bb02:3500-5355llmnr 354300x8000000000000000167301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:36.040{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:cceb:6c80:9dd1:9c87win-host-ctus-attack-range-102.us-east-2.compute.internal58161-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x8000000000000000167306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:41.899{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A83999FF451A75D81E6014E02E7060,SHA256=C47B2EEB919538929980A0D4E0B167AB49725A161206064EBF5549A53FBB2559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000269982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:40.999{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=093182D822F9C8DECC3C8C9D23B0BA06,SHA256=849390952383C0B8BEEF3C458EDB8676C8FB9036EB4DE4A43D3FB6B6335A52A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000269985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:42.301{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:42.301{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000269983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:42.105{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B51B15F26D699C4ACDB81E8ACBE65A,SHA256=B98EA723E74B5225E290972DA58C7D681E7F2E9F0BD96B62CC4A94CAC5CB3050,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000269986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:43.110{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F090CADA6FE4AC43F449F1AD69C03CF,SHA256=B575517AAAB879700ACB88F7B36AA2C3657BEACBF3CA93225F01D26B12C647A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:42.998{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E972D035A63DBA5DA451901405D78F0,SHA256=FD4BAD7CB53BA18502977803FEA9129274A8C454F93F69B069E3E5072617B45C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000269988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:42.535{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65400-false10.0.1.12-8000- 23542300x8000000000000000269987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:44.214{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9F1CFB6E6C64274C9C1DA814D15D9E,SHA256=612FDD5A8238AF30059162DC3C0B5270F557A9FB0828FE870E2D79C730CBFE20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:44.021{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C04E9A0FFCC3958D9474BBD5E18590C,SHA256=1D01407D45D35A0B58FFC08DBED5782B6CEADFABC1350E8DDBFA35E9B6EF9C3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000270012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.722{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.720{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.364{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.348{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.330{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.326{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 23542300x8000000000000000270006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.324{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6111F964D56BD5D1671D8438E0753C6,SHA256=4D11B96E0AA72C21616326AFCB53746CFCF1083523481DC8B3DCA6147A0253A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000270005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.316{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.312{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.310{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.305{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.296{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.251{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 23542300x8000000000000000167309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:45.155{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F807EFF9D71EC45A5DE3C0B82A14F0,SHA256=A193FC0B6A721BCD201274E610E5749A222204F479EDF3E096C9AB616B58BDED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000269999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.216{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000269998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.206{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000269997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.189{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000269996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.178{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000269995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.169{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000269994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.155{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000269993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.149{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000269992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.140{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000269991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.131{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000269990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.082{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000269989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:45.080{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000270013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:46.334{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49C28D1A1FCE1F57492F96D18DF536D,SHA256=1F783A15E632797B0EAAEAD4A0BAB2DD87D29926C2ADFCF2614E9B020E81C769,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:43.052{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55296-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:46.171{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B933A012E7811BC74A5DCB9B21E1087C,SHA256=E09EC96BF3A894076ABE98F04FA7EFAE8981C0E8C5BB207983DBE6FAFA1CB038,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000270025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:47.734{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:47.733{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 734700x8000000000000000270023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:47.731{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000270022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:47.730{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 10341000x8000000000000000270021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:47.728{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 734700x8000000000000000270020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:47.728{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000270019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:47.726{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 10341000x8000000000000000270018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:47.725{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 734700x8000000000000000270017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:47.725{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000270016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:47.724{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000270015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:47.722{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000270014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:47.438{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F91269C4CBF725C35BDF1FBD3F8C1A91,SHA256=71F96374D176B43A6FEDEA01C1606210B84436C12C24E2E1294310C2413FC9FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.965{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3ED3-6323-610F-000000007502}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.965{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3ED3-6323-610F-000000007502}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.965{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3ED3-6323-610F-000000007502}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.963{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3ED3-6323-610F-000000007502}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.963{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3ED3-6323-610F-000000007502}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.963{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3ED3-6323-610F-000000007502}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.800{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3ED3-6323-610F-000000007502}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.800{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.800{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.800{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.800{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.800{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3ED3-6323-610F-000000007502}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.800{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3ED3-6323-610F-000000007502}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.801{E743DC12-3ED3-6323-610F-000000007502}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:47.219{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4A10D76F0FA79387FF1559B0290A13,SHA256=417066CC0A53ED46ADB8AE4F50D480A847BEF9FEF6C5183A42FA8DC1AAB649B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.827{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570E816371CA03D0246C2E134C1DF998,SHA256=B596A6CB3A0767FD942A95CF05138FF74E3C16FD2F2FC989581EAA6DA6E1AEAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000270074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.523{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.520{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.516{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.515{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.495{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.492{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.486{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.482{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.479{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.474{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.468{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.463{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.460{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.456{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.452{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.451{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.451{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.449{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000167346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.962{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3ED4-6323-630F-000000007502}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.960{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.960{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.960{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.960{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.960{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3ED4-6323-630F-000000007502}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.959{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3ED4-6323-630F-000000007502}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.958{E743DC12-3ED4-6323-630F-000000007502}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.918{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E362DF2E3A92CA35700E00AA420CB47,SHA256=6ED976B3839A08C8964A89C3387381F25CC9057B7E375BE2F0B8635EC5893FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.887{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-438MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.344{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3ED4-6323-620F-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.344{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.344{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.344{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.344{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.344{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3ED4-6323-620F-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.344{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3ED4-6323-620F-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.346{E743DC12-3ED4-6323-620F-000000007502}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.323{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE1F679F5F515F67F8B5B7E03660256,SHA256=9439800D4E82F92B8269B038B94AD9EEC36D8C59585EE4870A5D6F05764DA6AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000270056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.435{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.434{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.431{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.429{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.419{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.418{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.415{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.412{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.409{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.408{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.407{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.404{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.401{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.386{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.383{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.355{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.352{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.333{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.324{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.284{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.277{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.264{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.259{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.257{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.254{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.251{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.248{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.247{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.241{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.240{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 10341000x8000000000000000270026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.237{6820D070-DD11-6322-8606-000000007402}52805372C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580850) 23542300x8000000000000000167327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.069{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=93287ED273D8A98E518D96C488A38F5C,SHA256=4DDC76192F4CC36FFAB19F444CEE80DB5CE0D8084BD1DE103E74F959BF49B27E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:49.464{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61262BD03D216DA80640356A517E6E4,SHA256=D3AF6B3F4719ECC51D68DF1C1C782A7D90B40DFF736B8C3C1144F7ABA4E4757A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:49.886{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-439MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:49.544{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3ED5-6323-640F-000000007502}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:49.544{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:49.544{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-3ED5-6323-640F-000000007502}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:49.544{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:49.544{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:49.544{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:49.544{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3ED5-6323-640F-000000007502}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:49.546{E743DC12-3ED5-6323-640F-000000007502}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:49.428{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500E78D1FC0E57A3B2746F737CA5D0D4,SHA256=C3689C63AD349CE654DEA93197711AFB61221657FB710D2F6B93D508F4878995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:49.144{E743DC12-3ED4-6323-630F-000000007502}48523268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000270078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:50.569{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9ADA9A7683688FD73E7467859BA0C8,SHA256=A840F8FD461F40975889E915B67AC64F4D6EB3C832E533F52A13965ACC3D2ABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000270077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:48.521{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65401-false10.0.1.12-8000- 10341000x8000000000000000167378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.928{E743DC12-3ED6-6323-660F-000000007502}13485812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.744{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3ED6-6323-660F-000000007502}1348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.744{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.744{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.744{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.744{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.744{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-3ED6-6323-660F-000000007502}1348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.744{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3ED6-6323-660F-000000007502}1348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.745{E743DC12-3ED6-6323-660F-000000007502}1348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.744{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1EA6182A112F52D682D10435A836F894,SHA256=B933F13E97E8E0BE7CE103C6BD83529E4D6B715D768A86B33FDF7D0AED7B9146,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000167368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:48.065{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55297-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.523{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF342E5BE9AD9A2E6C36B6D004646701,SHA256=49DFDD054326937994BA02832B1450EF828CBD9737490E27652480F787F2A8EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.300{E743DC12-3ED6-6323-650F-000000007502}13365632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.144{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3ED6-6323-650F-000000007502}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.144{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.144{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.144{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.144{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.144{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-3ED6-6323-650F-000000007502}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.144{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3ED6-6323-650F-000000007502}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:50.145{E743DC12-3ED6-6323-650F-000000007502}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000270079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:51.573{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9630DFC7AF1EE1B0F3FAC9C2CAA8B5D0,SHA256=80B97572E7EAAEA5E60B717361CEE15D5608224898BFCEB768C86F2F74086D54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:51.627{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D8E2F4ED0DD03522CBC1DC2C8CEB4E,SHA256=FEB307E918C57E276E8DADDBF6BA0DFED7C75DB4B6974BDC4FCC4CAC9A237117,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:51.528{E743DC12-3ED7-6323-670F-000000007502}12445396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:51.369{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3ED7-6323-670F-000000007502}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:51.369{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:51.369{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:51.369{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:51.369{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:51.369{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3ED7-6323-670F-000000007502}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:51.369{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3ED7-6323-670F-000000007502}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:51.370{E743DC12-3ED7-6323-670F-000000007502}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:52.744{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29DE1888F1131385DCC4FFD031A57FA4,SHA256=7679EFBD980C36046FE499E32E861F6E7A584FAD2B7C9C9C674A83DBB78D3FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:52.785{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D573C788FB0A38D7BC80F489C4682D69,SHA256=59B3C4E4A343D27149AE1223349E9743D690154E8DA317D55D1E1FC0DEE22931,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:53.890{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3CA94508F1543ED8B1A37E5443119B,SHA256=F2A3BBA4A7BD7C74D7B6F4556A99922BF3F7D8B70ACB450B8BD808572DE91F55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:53.783{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2230F8FAB0B6185D4CEB4D5CA343381,SHA256=21391E886F7711437CF03F3A4710AF76B414F5213034E2CA0A8E88B6BEF85648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:53.394{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=59DA57B9949B549C93A3AA88E09445F9,SHA256=DBFB4473342AF41FFD9982F2AFB9D6A383930338802DECA235F96E27252F656E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:54.995{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC89A45BE2165F494DB05D1FAA1A45D7,SHA256=D5D34B22764C2ABB01ED040115952EFD377E224876DAACE3827ED5264A58ACC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:54.916{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6AAB4D6B232EC939EC5346833AFE61,SHA256=2E490142E8D832B85AD34FFA09079FCFFC68E8E1030F9E43FE96A7BDCBF11B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:55.952{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A192000BA535762F0FEF0BE0636755,SHA256=05ACA80EF360B21ACF4822EB1C6327C103537F0101BCDAA5378A5E8E72375128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000270085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:55.085{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:55.084{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000270087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:54.501{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65402-false10.0.1.12-8000- 23542300x8000000000000000270086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:56.100{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0B89CFE775D61E99A7ED64F8144405,SHA256=D362398774EA0B24DF4C5B30B7CC8CD4BBD4ADFF2851B5AF1FD461650F3D091F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:54.047{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55298-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000270088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:57.406{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335247D4D2EF45F6D989A68B31312B55,SHA256=7A09CD5201DB180B7A3F48D88B5EBE7A03E13F7CED381F972912F9FFDD1FBD7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:57.991{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:57.986{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:57.980{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:57.973{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:57.966{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:57.958{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:57.955{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x8000000000000000167394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:57.066{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCF468765E53DCEEDDEFC9B8D3ABBF3,SHA256=BE2C34D6A53DD0F62FFF20B3F921D51FB946FB6C3570E0930333A8FCC53A3051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:58.511{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9F2A31FB036A3B43A3F3A9D528ECFA,SHA256=719E34819DD686FDEAE7ECF097A076E7294E31A2C6259C6BC6B63E1D833F6853,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.267{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.265{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.262{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.259{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.257{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.241{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.240{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.240{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.236{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.234{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.231{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.228{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.219{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.213{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.195{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.178{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.169{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.144{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.137{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.125{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.120{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.118{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.116{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.114{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.113{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.109{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.106{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.105{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.102{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.101{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.099{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.097{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.092{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.089{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x8000000000000000167411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.087{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D95BEA7C74BE8649375121DF0D6FF10,SHA256=FABF9C3F51F41EC41D34BE03AC174D9948C71F5CF0F116A710DCF9B6FBCC4C7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.085{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.078{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.076{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.059{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.050{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.022{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.017{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.010{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000167402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:58.001{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x8000000000000000270090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:59.618{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E67BCE5D4F1A363D5362313B7CEB98,SHA256=8185A8BC15099FC6E6EAC4C86F3576C75417044BA608E0857B98F3C51286F116,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:59.500{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA633CD64C06329291707F540CBCBE7B,SHA256=9D665A87F5F188A51A0672218D4C71DCB44B7418827867F7DA76CDE5D2F476A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:00.723{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A530D93C6F6D3FF411058F88EF34E76,SHA256=BAC141516C01264995447031023719674E877BCB1B0475D7A0C1D9E5158ED5DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:00.552{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A310837E6F1CC9D432C70189972685B3,SHA256=B8FD85E7D729543C6A20F7E7EA23EB1318EE084B667F9774DFC3EAE8DDA5CBAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:01.830{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7D8C8EFC73FC47F4C9A4A798CB8CC0,SHA256=A2487C63E4FD516B643B03DF261B8BB86F82371B4A141BA5DC5D70440471184A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:03:59.101{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55299-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:01.668{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5815D891B695B1F2FE192AC0699284E2,SHA256=88E1F1ED8407B2D051468CC97D929CA406FB6DCB66995A86109EFC99C0F148B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000270092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:03:59.673{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65403-false10.0.1.12-8000- 23542300x8000000000000000167451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:02.782{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444158C8631CCD557F2F0C511B1FBF26,SHA256=93AE6443DC882C557DC009BC50F671126BDA9E329073EBAE04CDA9DEFB5CAB60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:02.934{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B8FFF10C0AB93A7BCC8ABEDE777BFB,SHA256=B0700ECD6A3042087C7015AE17F4A21566DAFA70ABBE2714BAEE21E68729D311,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:02.383{E743DC12-D550-6322-0D00-000000007502}7843528C:\Windows\system32\svchost.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:03.883{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FACC3178519CAF830E7B4CF12D677FA,SHA256=ABBB566D9459FA5242D2225ABEC939B056A6E67C8CCC72E2EB1D9F53D54BEE1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.594{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F207E0781DF2D09F35B6A432EAA5BC,SHA256=C825A0FF686AF2A355EA8070290166D0E6ED2B7ADFB7D62209EB5E7558016454,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000270175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.556{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\NetTCPIP.dll10.0.14393.2515 (rs1_release_1.180830-1044)TCPIP WMI ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationNetTCPIP.dllMD5=4B096C06E1DED0232A76C2A48DE0BE8E,SHA256=7208DF0723FC09633C93CAAAB1AF69D190C08A8DDB5CAE3B250196F4E5FAF1AF,IMPHASH=ECC0376467C8DC568E036A790477D447trueMicrosoft WindowsValid 734700x8000000000000000270174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.556{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 10341000x8000000000000000270173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.547{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.547{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.547{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.525{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\NetSetupApi.dll10.0.14393.4467 (rs1_release.210604-1844)Network Configuration APIMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPAPI.DLLMD5=45630D9F60DF8BADDEAE3F0AA36844B0,SHA256=4784030365C7915290C0B3716262BEB3BD6328CE52CBE78FE75B66BDD4D1FEE0,IMPHASH=E720F8D9617FB3683EDBA9D49F46739EtrueMicrosoft WindowsValid 734700x8000000000000000270169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.524{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 734700x8000000000000000270168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.523{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\NetAdapterCim.dll10.0.14393.3930 (rs1_release.200901-1914)Network Adapter WMI ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationNetAdapter.dllMD5=354F54045D6BAD3984BB10E695E42D06,SHA256=B3B5C52014CB897FE9D3E1D0E45195299BFAB287FBB807EC7AE876233C66ABAA,IMPHASH=AB2E06BAA14F51ADF68374F9357B32C0trueMicrosoft WindowsValid 734700x8000000000000000270167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.527{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\miutils.dll10.0.14393.0 (rs1_release.160715-1616)Management InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationmiutils.dllMD5=28F778648D73EE69507A56F2F52D77A3,SHA256=97C6D40287173335D3208B0FACEDB3DC8DD3048900FBC70F359E29C0071EF0A3,IMPHASH=93EB58628B7F26836D57E6078C92A295trueMicrosoft WindowsValid 734700x8000000000000000270166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.527{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\mi.dll10.0.14393.0 (rs1_release.160715-1616)Management InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationmi.dllMD5=86EE1D8EF4EF3B8162965364EB51503B,SHA256=CEE442DCF9F8323918AE436E1F53876ECBADF156CA655FBA2CA2D222DEC3D151,IMPHASH=84AEB6EC4405AB87F66E6693FB6048F5trueMicrosoft WindowsValid 734700x8000000000000000270165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.526{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmitomi.dll10.0.14393.4704 (rs1_release.211004-1917)CIM Provider AdapterMicrosoft® Windows® Operating SystemMicrosoft Corporationwmitomi.dllMD5=AAF9446BCB4CBE5310B1A86685069B1A,SHA256=3ADDCADAB6FB3928FD7CFF8BD26EA6139D45F1502015A06F92720AA1E759F98F,IMPHASH=11D6C2589643342E776B2C8A35C4904AtrueMicrosoft WindowsValid 734700x8000000000000000270164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.524{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000270163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.524{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000270162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.523{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000270161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.523{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000270160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.513{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4,IMPHASH=EE3767E8CDC80CCB91A8FC0A7407A4A9trueMicrosoft WindowsValid 734700x8000000000000000270159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.505{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFF,IMPHASH=200200BEAF933FA4627BF83C67BA473EtrueMicrosoft WindowsValid 10341000x8000000000000000270158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.509{6820D070-D2F0-6322-1500-000000007402}12527648C:\Windows\system32\svchost.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+dc41|C:\Windows\system32\wbem\wbemcore.dll+2cfcf|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.500{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000270156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.494{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000270155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.485{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 734700x8000000000000000270154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.483{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000270153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.476{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.475{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000270151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.472{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000270150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.472{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000270149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.472{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.471{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000270147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.439{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3,IMPHASH=481A52B415277FC8692C7D6D9EA3475CtrueMicrosoft WindowsValid 734700x8000000000000000270146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.471{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000270145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.468{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 23542300x8000000000000000270144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.467{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3FAFE357C4C7B2D430F4D566679965CF,SHA256=E893DBE79D7A82080658341D178E60AC1D4FD7E49B9EBD992E7FDAF8AD68819C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000270143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.464{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000270142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.464{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000270141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.435{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1,IMPHASH=69BCD1B17DF0CA323B0C1639784D745BtrueMicrosoft WindowsValid 734700x8000000000000000270140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.431{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ncobjapi.dll10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationNCObjAPI.DLLMD5=EA51AB4DE69030FC62B5014175D27A88,SHA256=774A8136F6FC789952548DA2A72F2E53E32A33E91C48EA707C1D823058515DAB,IMPHASH=8BFED2C4A0A233671E2426106589658DtrueMicrosoft WindowsValid 734700x8000000000000000270139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.427{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2,IMPHASH=20C3512CFF09FABFB994B8B9DBF73B4FtrueMicrosoft WindowsValid 734700x8000000000000000270138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.436{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000270137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.436{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000270136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.435{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000270135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.435{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000270134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.430{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000270133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.428{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000270132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.428{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000270131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.391{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x8000000000000000270130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.428{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000270129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.427{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000270128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.426{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.381{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x8000000000000000270126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.367{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 10341000x8000000000000000270125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.416{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.416{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.416{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.365{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmidcom.dll10.0.14393.3115 (rs1_release_1.190708-1703)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmidcom.dllMD5=36C6EC0E60A0FB192ADE5CB6FD4881DA,SHA256=6B12A6337CCA00FCC7B9FD16D649D6468B6863EA0C12622F5E1D7804358FBB8D,IMPHASH=F591D92C7000065AD151DE6CB5E6019EtrueMicrosoft WindowsValid 734700x8000000000000000270121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.402{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000270120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.402{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000270119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.353{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210,IMPHASH=BC4A2B9355432144727A5322381AB386trueMicrosoft WindowsValid 10341000x8000000000000000270118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.399{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.398{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.394{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.394{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.393{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.393{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.393{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.392{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.392{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.349{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885,IMPHASH=70AAA0F56F084D1AE09EB5CD51B268ECtrueMicrosoft WindowsValid 734700x8000000000000000270108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.346{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clusapi.dll10.0.14393.4467 (rs1_release.210604-1844)Cluster API LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationclusapiMD5=884A820B75F04674CF5F27870F9FEE27,SHA256=2E33EB1D4EE0E7008FB4ECD49EED3F6CF49B8E5068125DEA2CC771714C0B7C4C,IMPHASH=A18EA9022AC27F1C7E02F74FAE45378EtrueMicrosoft WindowsValid 734700x8000000000000000270107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.370{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000270106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.335{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\pdh.dll10.0.14393.3930 (rs1_release.200901-1914)Windows Performance Data Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPDH.DLLMD5=59F500DD4E79AC74E13A668FEF51B9BC,SHA256=2FB08C56645CE12F6E3D95E140128E3BBED9C9CA5310FB094280CC5A972B2BEA,IMPHASH=07A597DB5C8A66596D816006E7F44247trueMicrosoft WindowsValid 734700x8000000000000000270105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.360{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 734700x8000000000000000270104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.330{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmitomi.dll10.0.14393.4704 (rs1_release.211004-1917)CIM Provider AdapterMicrosoft® Windows® Operating SystemMicrosoft Corporationwmitomi.dllMD5=AAF9446BCB4CBE5310B1A86685069B1A,SHA256=3ADDCADAB6FB3928FD7CFF8BD26EA6139D45F1502015A06F92720AA1E759F98F,IMPHASH=11D6C2589643342E776B2C8A35C4904AtrueMicrosoft WindowsValid 734700x8000000000000000270103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.326{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\miutils.dll10.0.14393.0 (rs1_release.160715-1616)Management InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationmiutils.dllMD5=28F778648D73EE69507A56F2F52D77A3,SHA256=97C6D40287173335D3208B0FACEDB3DC8DD3048900FBC70F359E29C0071EF0A3,IMPHASH=93EB58628B7F26836D57E6078C92A295trueMicrosoft WindowsValid 734700x8000000000000000270102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.339{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1,IMPHASH=4CAFDD735088F52AC974373982DCCDF2trueMicrosoft WindowsValid 734700x8000000000000000270101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.322{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\mi.dll10.0.14393.0 (rs1_release.160715-1616)Management InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationmi.dllMD5=86EE1D8EF4EF3B8162965364EB51503B,SHA256=CEE442DCF9F8323918AE436E1F53876ECBADF156CA655FBA2CA2D222DEC3D151,IMPHASH=84AEB6EC4405AB87F66E6693FB6048F5trueMicrosoft WindowsValid 734700x8000000000000000270100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.321{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\mgmtprovider.dll10.0.14393.953 (rs1_release_inmarket.170303-1614)Server Manager Managment ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmgmtprovider.dllMD5=0085BE17C932B9A642A7DE3D025DFE0F,SHA256=412CE5575A19826B54EBE7785D117E5823A74EB6F54ACBD1B3FFCCA6BF2EBE16,IMPHASH=AA6F7EAD0FA1846FB201D6CB41656A59trueMicrosoft WindowsValid 10341000x8000000000000000270099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.330{6820D070-D2F0-6322-1400-000000007402}10881616C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.323{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 10341000x8000000000000000270097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.313{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.313{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:03.312{6820D070-D2EE-6322-0B00-000000007402}628804C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:04.915{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D202A595DFFDD1A3FE248596690DEE8,SHA256=AFAFF38685B83E6D2B514DE66DA71BC6B796625A2633252C72E1C9728E0117E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000270186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:02.712{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65404-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000270185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:02.712{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65404-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 10341000x8000000000000000270184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:04.407{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:04.407{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:04.406{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:04.405{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:04.405{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:04.405{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 23542300x8000000000000000270178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:04.322{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ACB0CFBEC6569F5CEFF3BC1D91308D0,SHA256=A43813419248725B5995C06EF25E23109256A7E6AB598A55AB753C301F6ADD73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:04.112{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3611FB5A34ED023C5278C64FF3660411,SHA256=945CCAE3FFC7AF3CDFC53F7C38EE5F89EFBED8185FF888F48C87B08F8AC4B353,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:05.952{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC5CA1077E8D153102E9EEC890E69AD,SHA256=15DED4938CE2254D7C43671687F7F78E88D2A10EED7E00CBD8C7D79CC6E78880,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000270274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.695{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.694{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.629{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.629{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.629{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.628{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.628{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.628{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 23542300x8000000000000000270266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.429{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956207155E10404F8CB3F0473926A5B3,SHA256=D7CEABCB671BDC1477C14D94681C3C64BFA16E8F6CEBB7082AF67E70CBE96FA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000270265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.378{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BF,IMPHASH=B74E4EE6BBCE405BE73914241C9AF2C8trueMicrosoft WindowsValid 734700x8000000000000000270264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.368{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\perfproc.dll10.0.14393.3930 (rs1_release.200901-1914)Windows System Process Performance Objects DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPERFPROC.DLLMD5=204FACCEB3ECB3EFE16B44AA9B5E6BA9,SHA256=D366F1799012E44BC86680F20B8D087402F00DE1E20654039C9975AC9D5DBE27,IMPHASH=4A93C45FDB634C019EC5AFBC8AF21EF8trueMicrosoft WindowsValid 734700x8000000000000000270263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.279{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\Dism\DismCore.dll10.0.14393.4169 (rs1_release.210107-1130)DISM Core FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationDismCore.dllMD5=F1AB58CACD95921A04225222D03CDEA0,SHA256=EDE89F377FD46F95639413411CDA072D9FF63E72A399B26AB4870094F145091B,IMPHASH=B7B56C790C8AB7134B0680D8DFE46658trueMicrosoft WindowsValid 734700x8000000000000000270262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.273{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msxml3.dll8.110.14393.5127MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=9D77BBEA5D618AC8D5218553D30E51FF,SHA256=E3B966541623884A78A09EA6D36269853B31FE31FB6DF90B48080F13E006F5DC,IMPHASH=A80F24725C5C87DCE74AE4F927273077trueMicrosoft WindowsValid 734700x8000000000000000270261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.263{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\DismApi.dll10.0.14393.4169 (rs1_release.210107-1130)DISM API FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationDismApi.dllMD5=3EC5F4F5A3F40C1C512ABB9E048B4685,SHA256=43AC5284F3DF4B93A0A4659F06896A42B5DEF3FE8EE305D02B87FDD4954F670A,IMPHASH=D2BE19E2E5B14FE0AF2A1D0CD6219FA8trueMicrosoft WindowsValid 734700x8000000000000000270260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.330{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000270259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.328{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 734700x8000000000000000270258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.328{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000270257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.325{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000270256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.325{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000270255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.325{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmidcom.dll10.0.14393.3115 (rs1_release_1.190708-1703)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmidcom.dllMD5=36C6EC0E60A0FB192ADE5CB6FD4881DA,SHA256=6B12A6337CCA00FCC7B9FD16D649D6468B6863EA0C12622F5E1D7804358FBB8D,IMPHASH=F591D92C7000065AD151DE6CB5E6019EtrueMicrosoft WindowsValid 734700x8000000000000000270254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.250{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99,IMPHASH=1BD3BB25B0DF402C7C9590A07C7436FBtrueMicrosoft WindowsValid 734700x8000000000000000270253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.249{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\ServerManager.DeploymentProvider.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft CorporationServerManager.DeploymentProvider.dllMD5=7E88CD0BAE5B6AF69EFE83819D73077E,SHA256=D51AF7760B5F031FD51933B7C9C50347DBD9398E6DB77FEC3FD9C2AA1BA40102,IMPHASH=C6777CFD3FE49023A5786DC2AAC9306BtrueMicrosoft WindowsValid 734700x8000000000000000270252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.246{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\taskschd.dll10.0.14393.4651 (rs1_release.210911-1554)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=5FE3004A4C13FBC1B67CA879BB23800B,SHA256=120A7B49788154395D02C920D9F699EC944784C5162D9CDF8AFD8C927A26B1D1,IMPHASH=2C7BF5CADC559377391AFDF385763E3CtrueMicrosoft WindowsValid 734700x8000000000000000270251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.237{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\mintdh.dll10.0.14393.0 (rs1_release.160715-1616)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmintdh.dllMD5=32254E75260F1CAE3AB9EAC044B344B7,SHA256=B714E3CDEB23E63894D62E9335F51E301A9093F263623CCEFA2F674AABE7D629,IMPHASH=92D4FBE8F70FD95D329EA4882A8C3278trueMicrosoft WindowsValid 734700x8000000000000000270250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.233{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\tdh.dll10.0.14393.5125 (rs1_release.220429-1732)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationtdh.dllMD5=6F455C95F294B3A3E34102BEF294D45C,SHA256=2182F234811B1DF1A366AE925A8167C0BC519AEBAF55A92887E36651EBA7E347,IMPHASH=E0A9B1840595F8507313FB797C5187E6trueMicrosoft WindowsValid 734700x8000000000000000270249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.272{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000270248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.271{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000270247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.264{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmitomi.dll10.0.14393.4704 (rs1_release.211004-1917)CIM Provider AdapterMicrosoft® Windows® Operating SystemMicrosoft Corporationwmitomi.dllMD5=AAF9446BCB4CBE5310B1A86685069B1A,SHA256=3ADDCADAB6FB3928FD7CFF8BD26EA6139D45F1502015A06F92720AA1E759F98F,IMPHASH=11D6C2589643342E776B2C8A35C4904AtrueMicrosoft WindowsValid 734700x8000000000000000270246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.225{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\pla.dll10.0.14393.4169 (rs1_release.210107-1130)Performance Logs & AlertsMicrosoft® Windows® Operating SystemMicrosoft CorporationPLA.DLLMD5=937CB9331862AA203237632B9F6949A8,SHA256=43FD273C80A0EC24E30731336B55FA247E75303C0C0BCA0CEA662BBFD14EA482,IMPHASH=935D2875880DB5446A755230498F7A6EtrueMicrosoft WindowsValid 734700x8000000000000000270245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.250{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\miutils.dll10.0.14393.0 (rs1_release.160715-1616)Management InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationmiutils.dllMD5=28F778648D73EE69507A56F2F52D77A3,SHA256=97C6D40287173335D3208B0FACEDB3DC8DD3048900FBC70F359E29C0071EF0A3,IMPHASH=93EB58628B7F26836D57E6078C92A295trueMicrosoft WindowsValid 734700x8000000000000000270244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.250{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000270243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.250{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\mi.dll10.0.14393.0 (rs1_release.160715-1616)Management InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationmi.dllMD5=86EE1D8EF4EF3B8162965364EB51503B,SHA256=CEE442DCF9F8323918AE436E1F53876ECBADF156CA655FBA2CA2D222DEC3D151,IMPHASH=84AEB6EC4405AB87F66E6693FB6048F5trueMicrosoft WindowsValid 10341000x8000000000000000270242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.250{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.244{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 734700x8000000000000000270240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.241{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4,IMPHASH=EE3767E8CDC80CCB91A8FC0A7407A4A9trueMicrosoft WindowsValid 10341000x8000000000000000270239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.239{6820D070-D2F0-6322-1500-000000007402}12528148C:\Windows\system32\svchost.exe{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.237{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 734700x8000000000000000270237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.235{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFF,IMPHASH=200200BEAF933FA4627BF83C67BA473EtrueMicrosoft WindowsValid 734700x8000000000000000270236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.233{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 10341000x8000000000000000270235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.233{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 734700x8000000000000000270234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.232{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000270233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.232{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000270232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.231{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 734700x8000000000000000270231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.230{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000270230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.229{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.228{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 734700x8000000000000000270228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.227{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECB,IMPHASH=536E202FBC448C2C3B40D60D87620951trueMicrosoft WindowsValid 734700x8000000000000000270227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.227{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000270226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.225{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000270225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.225{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 10341000x8000000000000000270224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.225{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 734700x8000000000000000270223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.225{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000270222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.224{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.224{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000270220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.223{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000270219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.223{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.222{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 734700x8000000000000000270217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.222{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000270216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.221{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000270215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.221{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000270214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.221{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000270213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.221{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000270212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.221{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000270211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.220{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000270210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.220{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1,IMPHASH=69BCD1B17DF0CA323B0C1639784D745BtrueMicrosoft WindowsValid 734700x8000000000000000270209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.220{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ncobjapi.dll10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationNCObjAPI.DLLMD5=EA51AB4DE69030FC62B5014175D27A88,SHA256=774A8136F6FC789952548DA2A72F2E53E32A33E91C48EA707C1D823058515DAB,IMPHASH=8BFED2C4A0A233671E2426106589658DtrueMicrosoft WindowsValid 734700x8000000000000000270208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.220{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3,IMPHASH=481A52B415277FC8692C7D6D9EA3475CtrueMicrosoft WindowsValid 734700x8000000000000000270207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.219{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000270206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.218{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000270205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.218{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000270204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.217{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 734700x8000000000000000270203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.217{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.217{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2,IMPHASH=20C3512CFF09FABFB994B8B9DBF73B4FtrueMicrosoft WindowsValid 10341000x8000000000000000270201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.216{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000270200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.216{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.194{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000270198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.184{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B76A93F713AC8DD8824F303FE528E14,SHA256=AD74EF859023A2EEC8350BA82EB3C29F0820B4EE97E5D50BF477CF7328F09993,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000270197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.181{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.175{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.168{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.156{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.148{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.138{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.132{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.123{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.116{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.070{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.068{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000167458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:06.997{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D0CBDC1E86C400550BE0C81F64A7F1,SHA256=D29ED60F7C1FAB7B37A2E1FE5F8EB0C1FA9B6C0DEC0BA9E54F5BAA725ED74284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:06.224{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434F60D8C546A21DF4384D43F18BEF2B,SHA256=731A5ED01D293052E37ED9944BEF23FF9D82DC0022B77834757CB68518E5C127,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:06.265{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000167456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:06.265{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:06.265{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF19c7d0b.TMPMD5=39D11997735CDFDAB7051AB86B8F82E9,SHA256=34F34B56FDEF9CE630B3344FE748DFBC186169F1CA2CC69FB9A6920D5DE026AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000270282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:07.709{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:07.707{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:07.700{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:07.698{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000270278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:07.646{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=E93726D9ABA7AE05093485A853ECA7F3,SHA256=9594F4DC1420D75196315DE2E65C6E50097C566025D81D5D3B3127302268BCE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:07.535{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-448MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:07.328{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FDDB060F0FA8A7AA81663F74EAB142,SHA256=A5723909C8A62ADCA06E3A31500A71B51736E2F1AC65A0D867A2BE8E9526CE82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:04.997{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55300-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000167461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:07.239{E743DC12-D550-6322-0D00-000000007502}7843528C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:07.239{E743DC12-D550-6322-0D00-000000007502}7843528C:\Windows\system32\svchost.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:07.239{E743DC12-D550-6322-0D00-000000007502}7843528C:\Windows\system32\svchost.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000270335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:05.525{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65405-false10.0.1.12-8000- 23542300x8000000000000000270334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.532{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-449MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000270333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.530{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.523{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.521{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.515{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.514{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.491{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.488{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.486{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.483{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.480{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.478{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.475{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.471{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.467{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.463{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.461{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.460{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.459{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.458{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.445{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.444{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.442{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000270311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.441{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC89A97C9716D082A3F81ADDFCC565F5,SHA256=9363D4D271AEC40C753C94DE4C90743684053B1B444856A537A8889F4011A29C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000270310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.439{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.424{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.422{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.418{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.415{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.412{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.411{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.411{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.408{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.406{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.396{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.393{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000167463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:08.038{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EEF5B170D29C321B1BC1FB8F98A36FA,SHA256=395F9BC580BAA43871147029C20493F65285F891B7A47E0C4F650254473B8F76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000270298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.344{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.340{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.321{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.311{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.263{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.255{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.244{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.239{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.232{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.228{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.225{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.223{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.222{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.218{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.217{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000270283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:08.214{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000167466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:09.537{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:09.537{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:09.113{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED00A9713734B9262EE7F7AB15FB2DC,SHA256=EB337D820931CD0540AFE92BE60C741DA967E4C8865B6E5B134D85233A4ACC5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:10.238{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489874A532C9FD6804EAC30509B3A0C5,SHA256=C8BD7A129BF111A9FED42C5C6526DFD51BA7E0F93251533289252B8D7AB760FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:10.011{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE9500CED5BD4743288CCB0D01609CD6,SHA256=E79CE09C1891993EFADED628D385011508FB6DB060130737D515240793D5E0CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:11.362{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8186E78013B5C51AB8CB26D6BA4F6A,SHA256=638B6F43A1BBB3CBB4DB68DA2911B5EA96E89AC91595C567DB6B31B012066D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:11.066{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5564ECDFE71E89C33B5EBA87EAF30F2E,SHA256=AFDA116ADA6533976E56D1B35473E742E2B7321D2E547DA39D68C26DEE362A08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:12.465{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0017608EEC85C9610967E71D687A92F,SHA256=13F6A2832F3979C81BAD334AC9B9D285313542CD20A87FEF4EF059695A5803F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:12.655{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=656BD9EB70944396A2F1FF57566A54C3,SHA256=7D68ECB361B011D72E520C39F2EF304BBD364279C31A20C9FEDF2C6DAC55D811,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000270339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:10.658{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65406-false10.0.1.12-8000- 23542300x8000000000000000270338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:12.071{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B86E2B73A153C435A60DA811D3B7032,SHA256=E71DF75057A4ABE8AF961D62F378B2D91FA14AA7184496C4361D45FAD1704E13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:10.961{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55301-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:13.579{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13136722EC48D6F1E2240E71ED4F272,SHA256=9840005F984F5A5B47B584179B258D03FC0934F0E1F1658C487A15504261DDF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:13.177{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB62EC298EF8015481710A587EB64AC,SHA256=35B59C8DAE896BC5E5873490F94FA1A6FC5B2AEE95A9277AF8510ABDB0923F21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:14.712{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F99B28066FF1BEAE5A1A090E1E0307,SHA256=743E4C90E572876726B2888805BA0434BDE0FA7EE71122A402AEF97C69C93E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:14.184{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3CDEDBF27F11B99A24C0BF196138F76,SHA256=D1918C42B6545A529B438537E880E111A30A1E4FFA348ED927784F1135544210,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:15.811{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F620E835B8E7CADD809F1931DAFBB3,SHA256=5B301FB5089DDC04EA27ED0895CA80C18E870657B937127B9470105820D092D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:15.292{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCA0CA85447FBEAF2A925AA51746E8B,SHA256=73565D3F321FEAEB5A77115162467E164A50CFB35A20AE494F9E2DE1C56D9DCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:16.598{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F95D1AC2AD44D753A30E7C3DD98590,SHA256=D319B5D2D35E09140CFF14F370FC0D37FFE33789F644C0233312360B08AAEA29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:16.862{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A7B34141DD12FE9489C322C183D2BB,SHA256=19844886E33D0AD3802F342BBC5395FD357DED59D6D7BE33BF542B7C054FE1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:17.932{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:17.803{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D988DA2ADE9EBFF4A8CDF271A50CE98,SHA256=D0C9CD5BF1DA365F206069AE166787EE93F1F540847E6719A2550D9765FDFFDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:17.994{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:17.982{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:17.973{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:17.969{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000167475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:17.962{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FA91EA00DFE9E9ECBD7EEA1CAE5E2C,SHA256=67EC8D7D763762321219EA41EE5EB6B70E944A0245EF2A87AFD3A4908F77F6B2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000270447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.855{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000270446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.853{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000270445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.851{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000270444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.850{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000270443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.847{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000270442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.846{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000270441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.846{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000270440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.839{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000270439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.838{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000270438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.837{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000270437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.836{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000270436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.836{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000270435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.830{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000270434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.830{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000270433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.830{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000270432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.830{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000270431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.828{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000270430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.828{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000270429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.828{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000270428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.828{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000270427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.828{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000270426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.828{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000270425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.828{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000270424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.828{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000270423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.828{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000270422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.828{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000270421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.827{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000270420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.825{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000270419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.825{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000270418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.825{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000270417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.825{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000270416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.825{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000270415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.825{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000270414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.825{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000270413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.824{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.824{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000270411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.823{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.821{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000270409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.818{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000270408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.818{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000270407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.818{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.817{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.817{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.817{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000270403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.817{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.815{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000270401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.815{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000270400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.814{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000270399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.356{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 10341000x8000000000000000270398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.357{6820D070-3EF2-6323-4718-000000007402}16287000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.355{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000270396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.171{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000270395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.170{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000270394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.170{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000270393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.169{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000270392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.168{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000270391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.167{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000270390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.167{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000270389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.167{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000270388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.166{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000270387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.159{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000270386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.159{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000270385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.159{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000270384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.159{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000270383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.159{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000270382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.158{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000270381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.158{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000270380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.158{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000270379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.158{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000270378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.157{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000270377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.157{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000270376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.157{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000270375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.156{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000270374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.156{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000270373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.156{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000270372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.156{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000270371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.155{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000270370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.155{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000270369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.154{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000270368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.154{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000270367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.153{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000270366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.153{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000270365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.153{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000270364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.152{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000270363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.152{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000270362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.152{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.152{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000270360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.151{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.150{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000270358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.150{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000270357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.149{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.149{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000270355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.148{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.148{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.148{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.148{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.147{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000270350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.147{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000270349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.146{6820D070-3EF2-6323-4718-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000270348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.087{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:18.087{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.549{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE955C217DC0C2FAE98979A76327E078,SHA256=9BC59B634EF6775A12DDCEA8037643B3A7615BB2058D84640233D3436D52F4CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.289{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.287{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.285{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.282{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.280{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.267{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.266{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.266{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.263{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.260{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.257{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.254{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.246{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.244{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.225{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.210{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.201{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.175{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.168{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.159{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.154{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.152{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.150{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.148{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.147{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.143{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.139{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.138{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.135{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.134{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.132{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.129{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.124{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.119{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.116{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.109{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.107{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.094{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.084{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.056{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.050{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.042{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.034{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.022{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.016{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000167480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:18.005{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 354300x8000000000000000167528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:15.994{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55302-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:19.036{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E477C5089B92B360BCFD1566C1B59A64,SHA256=CF9F9A9C3B9FD44616FBD7852C82581EE910623562ED9BF4CB9B296C416A1F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.592{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E4821CC76872874152D913D96308D3,SHA256=C84705BB05AC68A272684F1CBDD0B4639490AAB32D0CF44C1C54CF761DE19A9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000270505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:17.390{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65408-false10.0.1.12-8089- 354300x8000000000000000270504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:16.540{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65407-false10.0.1.12-8000- 734700x8000000000000000270503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.533{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000270502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.533{6820D070-3EF3-6323-4918-000000007402}20043868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.532{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000270500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.531{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000270499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.362{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000270498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.361{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000270497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.361{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000270496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.360{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000270495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.357{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000270494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.357{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000270493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.356{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000270492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.356{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000270491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.349{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000270490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.349{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000270489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.349{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000270488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.347{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000270487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.347{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000270486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.347{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.347{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000270484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.347{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000270483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.347{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000270482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.347{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000270481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.346{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000270480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.346{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000270479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.346{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000270478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.346{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000270477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.346{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000270476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.344{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000270475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.343{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000270474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.342{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000270473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.342{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000270472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.342{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000270471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.341{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000270470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.341{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000270469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.341{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000270468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.341{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000270467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.341{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000270466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.341{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000270465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.340{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000270464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.339{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.338{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000270462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.338{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000270461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.337{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.337{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000270459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.336{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.336{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.336{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.336{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.336{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000270454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.336{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000270453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.334{6820D070-3EF3-6323-4918-000000007402}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000270452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.193{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57E5EF2E1755142E40357A8D23081507,SHA256=1AD0A2F911A5D04F1B46EBCAB6695F1693CF68F6FFD36EE87FC8A539CFD0B3F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.166{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C85D24DC34F5ABF4CDFEFBDFF1676BF,SHA256=200051359DF6A3DEFBA67F2E33EAEB2CFFFA31738ED8DD77BDA9FD18AB721112,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000270450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.127{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000270449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.126{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000270448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:19.125{6820D070-3EF2-6323-4818-000000007402}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000167533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:20.396{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:20.396{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:20.396{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:20.361{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:20.160{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2BF9FACF223D8A76AD99A0EAB71005,SHA256=994466A85AA6DCBDE3C8AD08EEC79F44445FD1E609A3DDB247972EAD520C1898,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000270614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.848{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000270613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.847{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000270612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.846{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000270611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.762{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449BFEDE2B0B744929B55CB932406732,SHA256=3432953FD6FAEA72EB58E607CC5272316945DF59113CD651595F68A75130544B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000270610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.653{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000270609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.652{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000270608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.651{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000270607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.651{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000270606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.649{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000270605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.649{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000270604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.648{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000270603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.648{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000270602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.639{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000270601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.638{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000270600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.638{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000270599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.638{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000270598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.638{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000270597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.638{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000270596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.638{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000270595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.638{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000270594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.637{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000270593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.637{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.637{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000270591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.637{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000270590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.637{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000270589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.637{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000270588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.636{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000270587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.636{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000270586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.636{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000270585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.636{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000270584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.636{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000270583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.636{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000270582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.636{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000270581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.635{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000270580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.635{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000270579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.635{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000270578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.635{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000270577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.635{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000270576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.635{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000270575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.634{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000270574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.633{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.633{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000270572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.632{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000270571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.632{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.631{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000270569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.631{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.631{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.631{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.631{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.630{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000270564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.630{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000270563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.629{6820D070-3EF4-6323-4B18-000000007402}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000270562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.189{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000270561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.187{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000270560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.187{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000270559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.111{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B38467519989995CE5226E5D0081547,SHA256=1257A1B9953A3E2D8F8B3CB81C6BBFE1A3DC773E6A34C4BB21FB76FBB7825B29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000270558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.025{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000270557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.024{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000270556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.024{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000270555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.023{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000270554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.021{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000270553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.021{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000270552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.021{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000270551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.020{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000270550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.014{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000270549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.013{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000270548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.013{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000270547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.013{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000270546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.012{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000270545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.012{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000270544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.012{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000270543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.012{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000270542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.012{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000270541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.012{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000270540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.011{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000270539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.011{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000270538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.011{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000270537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.011{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000270536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.011{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000270535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.011{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000270534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.011{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000270533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.011{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.011{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000270531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.010{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000270530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.010{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000270529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.010{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000270528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.010{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000270527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.010{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000270526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.010{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000270525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.010{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000270524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.010{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000270523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.009{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000270522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.009{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000270521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.009{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000270520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.009{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000270519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.008{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000270518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.008{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.007{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000270516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.007{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000270515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.006{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.006{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000270513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.003{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.003{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.003{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.002{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.002{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000270508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.002{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000270507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:20.001{6820D070-3EF4-6323-4A18-000000007402}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:21.260{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3B3226B5B0D6EB85B1FA5BAC8454B5,SHA256=4E256E6C1424D011391826B56DED4DAB35EC84277BDA17AC1A817E058A23F6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.872{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB0A94383D97897E4DEC8C762754003,SHA256=C6EE6E25EF1CF0DD078A8BD7AC2E4D3E1F7D69498C2D4BD1ACEB07B7BFA83159,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000270717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.828{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000270716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.827{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000270715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.827{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000270714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.825{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000270713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.823{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000270712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.823{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000270711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.822{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000270710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.822{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000270709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.813{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000270708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.813{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000270707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.813{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000270706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.812{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000270705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.812{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000270704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.812{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000270703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.812{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000270702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.811{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000270701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.811{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000270700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.811{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.811{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000270698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.811{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000270697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.811{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000270696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.811{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000270695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.810{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000270694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.810{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000270693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.810{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000270692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.810{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000270691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.810{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000270690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.810{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000270689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.810{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000270688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.809{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000270687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.809{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000270686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.809{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000270685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.809{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000270684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.808{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000270683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.808{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000270682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.808{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000270681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.807{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.807{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000270679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.806{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000270678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.806{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.805{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000270676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.804{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.804{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.804{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.804{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.804{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000270671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.803{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000270670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.802{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000270669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.486{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000270668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.486{6820D070-3EF5-6323-4C18-000000007402}25487216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.484{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000270666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.483{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000270665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.412{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.392{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.392{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.304{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000270661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.304{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000270660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.303{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000270659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.302{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000270658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.301{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000270657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.301{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000270656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.300{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000270655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.300{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000270654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.293{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000270653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.293{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000270652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.293{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000270651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.292{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000270650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.292{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000270649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.292{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000270648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.292{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.292{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000270646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.292{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000270645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.291{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000270644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.291{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000270643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.291{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000270642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.291{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000270641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.291{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000270640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.290{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000270639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.290{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000270638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.290{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000270637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.290{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000270636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.290{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000270635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.290{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000270634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.290{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000270633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.290{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000270632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.289{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000270631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.289{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000270630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.289{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000270629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.289{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000270628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.289{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000270627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.288{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.287{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000270625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.287{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000270624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.286{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.286{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000270622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.286{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.286{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.286{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.286{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.285{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000270617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.285{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000270616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.284{6820D070-3EF5-6323-4C18-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000270615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:21.282{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566A38D6837B414AB20BAC31EFDC0E4E,SHA256=C7B52078D702D03E1C3DC0CB369C0F2A4C8BDFA5CC81FD5C90FA0460AF03082C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:21.135{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=47F8247599A5B5FD10E7E9347EB5BAA5,SHA256=A63EB0544ADE92B525AF7FED2FA87DF8BADB075056C2DD266527F9989E1C9901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:21.011{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=04342100F33C13DAD1908523F78C3BE7,SHA256=A0ADC33F8F775F0F98E0542FB5A2E69B5A46806D1E557858852750F36D6AF962,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000270726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:22.997{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:22.981{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7d109|C:\Program Files\Mozilla Firefox\xul.dll+e7d3e8|C:\Program Files\Mozilla Firefox\xul.dll+121687b|C:\Program Files\Mozilla Firefox\xul.dll+e79d77|C:\Program Files\Mozilla Firefox\xul.dll+1231e36|C:\Program Files\Mozilla Firefox\xul.dll+cc66e|C:\Program Files\Mozilla Firefox\xul.dll+c52304|C:\Program Files\Mozilla Firefox\xul.dll+c5203b|C:\Program Files\Mozilla Firefox\xul.dll+18be779|C:\Program Files\Mozilla Firefox\xul.dll+1e9f84e|UNKNOWN(00000104A81232E3) 10341000x8000000000000000270724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:22.460{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7d109|C:\Program Files\Mozilla Firefox\xul.dll+e7d3e8|C:\Program Files\Mozilla Firefox\xul.dll+121687b|C:\Program Files\Mozilla Firefox\xul.dll+e79d77|C:\Program Files\Mozilla Firefox\xul.dll+e5eae7|C:\Program Files\Mozilla Firefox\xul.dll+1f88572|C:\Program Files\Mozilla Firefox\xul.dll+1a9930a|C:\Program Files\Mozilla Firefox\xul.dll+1a9be25|C:\Program Files\Mozilla Firefox\xul.dll+1e9f8e6|UNKNOWN(00000104A81232E3) 23542300x8000000000000000270723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:22.394{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B7971A28927615C5490F743468A956,SHA256=603A353FA801B6E416CF6DECE8C15925158724E7E3D4C9BFDEBCE409E8F8DE3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:22.436{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:22.309{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338410304C36D677A20687C9AEA45EDB,SHA256=2A4DCD94DD8165A490BD6A05DFC2DB5D95AF11F4C6664333D313D4C0A2DBD15F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000270722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:22.034{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000270721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:22.034{6820D070-3EF5-6323-4D18-000000007402}52726520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:22.025{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000270719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:22.024{6820D070-3EF5-6323-4D18-000000007402}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000270729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:23.595{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4DFE38BA32BEC94F1D95A6297B661BDE,SHA256=C75F311E78A9FC9AF85C22BD91EED0EA8253BA6E5D54018704EBC63E998B0582,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:23.565{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219A6453086B107D2BAA692726CF79E0,SHA256=41815076D2521924BBCA5B0EC5039DE306B3EA5E72F5BA3EAF855D0931713F56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:23.459{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7AE732AFE75631DF6D912ED8F1CF0D,SHA256=CE918A3B11C8262489B48F3CF1B1BBEFB87581E52A8B7B1F79E72EFFBE6EA571,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000270727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:23.276{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000270736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:22.545{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local50728- 354300x8000000000000000270735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:22.495{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65409-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000270734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:22.491{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65410-false10.0.1.12-8000- 354300x8000000000000000270733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:22.482{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58639- 354300x8000000000000000270732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:22.481{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60754- 354300x8000000000000000270731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:22.479{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local50930- 23542300x8000000000000000270730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:24.570{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5C8A92F9762D2B2BCDFE3E4004DDFC,SHA256=D7DA7039D00679009D9CD2D376B2BF527041A978D868E498C34D0C7D0D84468E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:24.591{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A6119A2422C50ACA09E32F1C462654,SHA256=61911A28FA0215BDE6F4A64D1F871BF368A6C923EB2A4E933CBBE2B6B6F86E62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000167540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:21.255{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55303-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000270760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.968{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CAFC12222EBABBAE5D8C4727EFC79D,SHA256=0CE2C930FDC3A3261E7D27626FA139D8DD972EB7C9308074D49F9A1C13C57675,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000270759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.600{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.598{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000167543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:25.702{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049FC43E5B996462745E6D03BA18BBE4,SHA256=560320D07F6E7197E7287BA3858536E1E3EBCE91A16480B70AC7F4D51D033F12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000270757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.243{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.238{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.231{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.228{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.222{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.219{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.217{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.215{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.210{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.185{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.172{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.167{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.158{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.151{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.143{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.133{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.127{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.117{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.109{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.068{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.065{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 354300x8000000000000000167542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:21.939{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55304-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:26.808{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17997AA69863757F2719D1039A4FC07,SHA256=64188B746D297C8038AB4701749A59A2946AFBB94AFCE2B96311156FACB984BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:26.693{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27425331846C29514387C6A3CF4FFADC,SHA256=536B6381D05151F7DAE28EF07803CE29B518F606C003D78E679F29040D19B206,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000270773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:24.551{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local51174- 354300x8000000000000000270772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:24.550{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64333- 354300x8000000000000000270771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:24.549{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local49476- 354300x8000000000000000270770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:24.549{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59385- 354300x8000000000000000270769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:24.549{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61266- 354300x8000000000000000270768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:24.546{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62007- 354300x8000000000000000270767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:24.546{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59772- 354300x8000000000000000270766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:24.545{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64219- 354300x8000000000000000270765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:24.541{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60377- 354300x8000000000000000270764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:24.541{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58098- 354300x8000000000000000270763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:24.541{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local50724- 22542200x8000000000000000270762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.038{6820D070-EFF0-6322-ED08-000000007402}4396etsy.map.fastly.net0146.75.33.224;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000270761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.038{6820D070-EFF0-6322-ED08-000000007402}4396www.etsy.com0type: 5 etsy.map.fastly.net;::ffff:146.75.33.224;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000167545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:27.934{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B091F4604C28397B0EE4BD702D2FD4CF,SHA256=04F9CCF50A5A5ED743F1D8E545D8144650E99700B35D382025DBF31D0819FB77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000270789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:26.205{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local59143-false172.217.4.196lga15s48-in-f196.1e100.net443https 354300x8000000000000000270788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:26.204{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59873- 354300x8000000000000000270787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:26.204{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local49881- 354300x8000000000000000270786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:26.202{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59142- 23542300x8000000000000000270785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:27.801{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E97C81EB34C7B08B71C3778C89236C9,SHA256=6C99E5F81479A96D283BC991338AEC9C8193796F7AE3BB4B3A8C1797EAE071C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000270784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:27.612{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:27.611{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:27.606{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:27.602{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 354300x8000000000000000270780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:24.572{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local49537- 22542200x8000000000000000270779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.045{6820D070-EFF0-6322-ED08-000000007402}4396youtube-ui.l.google.com02607:f8b0:4009:81b::200e;2607:f8b0:4009:818::200e;2607:f8b0:4009:819::200e;2607:f8b0:4009:81a::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000270778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.043{6820D070-EFF0-6322-ED08-000000007402}4396youtube-ui.l.google.com0142.251.32.14;172.217.0.174;172.217.1.110;172.217.2.46;172.217.4.46;172.217.5.14;172.217.4.78;172.217.4.206;142.250.191.174;142.250.191.206;142.250.191.238;142.250.190.14;142.250.190.46;142.250.190.78;142.250.190.110;142.250.190.142;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000270777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.043{6820D070-EFF0-6322-ED08-000000007402}4396www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:142.250.190.142;::ffff:142.251.32.14;::ffff:172.217.0.174;::ffff:172.217.1.110;::ffff:172.217.2.46;::ffff:172.217.4.46;::ffff:172.217.5.14;::ffff:172.217.4.78;::ffff:172.217.4.206;::ffff:142.250.191.174;::ffff:142.250.191.206;::ffff:142.250.191.238;::ffff:142.250.190.14;::ffff:142.250.190.46;::ffff:142.250.190.78;::ffff:142.250.190.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000270776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.042{6820D070-EFF0-6322-ED08-000000007402}4396p2.shared.global.fastly.net0146.75.38.49;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000270775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:25.042{6820D070-EFF0-6322-ED08-000000007402}4396bazaar.abuse.ch0type: 5 p2.shared.global.fastly.net;::ffff:146.75.38.49;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000167546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:28.974{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33D34707837F5F50DD8D2845FC593A0,SHA256=540A7B554B060A4DE40109807A810A2D12846C02C4543F671AB08D00F8CC73BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000270844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.822{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC7F7FFA285905E5BF5D6DAA8788EA2,SHA256=D2916F0506C4043D7CBF346EA79A834050F867A8EE91ABF1E76A5F077847E063,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.529{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A07C6E1CA0D52904D443D13F51E9F70,SHA256=44EC808FC041F8EF42B473BDFE33D363927E511DA1675553B442C48559D5342B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000270842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.379{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.377{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.371{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.366{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.365{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.338{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.336{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.334{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.331{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.328{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.326{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.322{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.317{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.314{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.309{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.305{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.304{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.304{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.302{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.289{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.287{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.285{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.281{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.271{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.270{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.267{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.265{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.262{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.261{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.261{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.258{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.256{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.248{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.246{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.221{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.219{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.204{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.196{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.160{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.152{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.139{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.135{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.133{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.130{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.127{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.124{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.123{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.120{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.118{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000270793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.116{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 22542200x8000000000000000270792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:26.698{6820D070-EFF0-6322-ED08-000000007402}4396www.google.com02607:f8b0:4009:808::2004;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000270791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.075{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\9219MD5=FE5D41438E0BC9FC882B4A81FC5DAC3F,SHA256=7D40855C89ABA313E35F281131E754E20685F1955718AD672E9673F379309965,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:28.074{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\2688MD5=523381404B015D93341A50993E711C3A,SHA256=519232F4700FA6C6DA28E10C7F77C3230DF270D4EE56F77F4FD03CA97BE7AD25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:29.928{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4593EF6B3F9AE78937C66BB3AACB99,SHA256=6D8664A7E4A70EFD8E7D2CCA7685BADF7B268B84B8AF94CD3BE511DBA9BF0DB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.984{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=D8EC8C2D2950BC7D9CBB361D983AE037,SHA256=9BCA46E6DD4D46DF719F5E838383CFF5A896C10C87869C1902BF2230769ECCEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.980{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=E0CBFFDFD058B619AAD8607648956F62,SHA256=749119AE42AB587F98D206DD34964BD2EBB3BA485FB95FE07C28E1BD0DFAC06B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.978{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=F7D8D34845DA740962D8AF1D1761A765,SHA256=71DC4EE2EFFB258F49BCEAC4C43546395A6FF3A1196151C6F67ED76BB0D0E0CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.977{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\events\newtabMD5=2BAB37F321A60A91079C4EBEE3DCECFD,SHA256=1B0B66E91CE232FD0F974BE08F808497020FAE434CF444CC867BE4EDEEC008D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.976{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=954A31BC2786F4DD5B40C7442D8FBD3C,SHA256=3A7C8B1769F88A7E9886D16777789D2F2415F150FC80D784825C9E4116AB559D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:30.106{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98A65EE3400E1D72FBAF3ADEC2B180F,SHA256=C46CC3FB0111E51B849E1862E1C06F9D3556C03711EE66E67154BE3066D6A004,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000270849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.970{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.963{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e76f08|C:\Program Files\Mozilla Firefox\xul.dll+e65430|C:\Program Files\Mozilla Firefox\xul.dll+42b8d36|C:\Program Files\Mozilla Firefox\xul.dll+2412b58|C:\Program Files\Mozilla Firefox\xul.dll+9b8b70|C:\Program Files\Mozilla Firefox\xul.dll+9707a1|C:\Program Files\Mozilla Firefox\xul.dll+1810d8|C:\Program Files\Mozilla Firefox\xul.dll+9bc4e5|C:\Program Files\Mozilla Firefox\xul.dll+443ab06|C:\Program Files\Mozilla Firefox\xul.dll+97c5dc|C:\Program Files\Mozilla Firefox\xul.dll+97f821|C:\Program Files\Mozilla Firefox\xul.dll+97e4db|C:\Program Files\Mozilla Firefox\xul.dll+97d705|C:\Program Files\Mozilla Firefox\xul.dll+988af0|C:\Program Files\Mozilla Firefox\xul.dll+8b5b12|C:\Program Files\Mozilla Firefox\xul.dll+83635f|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad 354300x8000000000000000270847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:27.565{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65411-false10.0.1.12-8000- 23542300x8000000000000000270846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.839{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\formhistory.sqlite-journalMD5=108ADE616A4A221C4E0C3A7C4DB63E54,SHA256=B89BB3B56385A195C99D7B67010962B9CA89CAAC611DDC2C376D6B6EC948B1FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:31.256{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168C597234207FCC13AFA9F43F62DB9C,SHA256=8A53A868EFC4ED4B92A08B9CA963157325F77620919C5B98D266EDACAA44EB50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000167548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:27.953{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55305-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000270926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.998{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000270925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.997{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000270924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.996{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000270923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.996{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000270922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.996{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000270921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.995{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000270920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.995{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000270919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.995{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000270918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.993{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000270917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.992{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000270916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.991{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000270915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.991{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.990{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000270913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.989{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000270912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.989{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000270911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.987{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000270910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.986{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000270909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.985{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000270908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.985{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000270907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.985{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000270906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.984{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000270905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.983{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000270904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.982{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000270903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.981{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000270902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.981{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+e75602|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.980{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000270900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.980{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000270899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.980{6820D070-EFF0-6322-ED08-000000007402}43961572C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.974{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.974{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.974{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.974{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.973{6820D070-DD00-6322-5E06-000000007402}34204136C:\Windows\system32\csrss.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000270893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.973{6820D070-EFF0-6322-ED08-000000007402}43961208C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000270892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.973{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4396.82.826062375\2092290804" -childID 80 -isForBrowser -prefsHandle 6660 -prefMapHandle 6444 -prefsLen 34176 -prefMapSize 229452 -jsInitHandle 1016 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4396 "\\.\pipe\gecko-crash-server-pipe.4396" 7660 184fe406b48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-DD02-6322-1C5A-600000000000}0x605a1c2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000270891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.971{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.971{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.971{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.970{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.970{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.970{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.970{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.970{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.970{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.969{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.969{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.969{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.969{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.968{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.968{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.968{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.968{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.968{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.967{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.967{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.967{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.967{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.966{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.966{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.966{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.966{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000270865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 15:04:31.964{6820D070-EFF0-6322-ED08-000000007402}4396\chrome.4396.82.82606237C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000270864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.962{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 354300x8000000000000000270863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.302{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62445- 354300x8000000000000000270862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.302{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62171- 354300x8000000000000000270861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.301{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local49958- 354300x8000000000000000270860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.301{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58749- 354300x8000000000000000270859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.300{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65189- 23542300x8000000000000000270858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.322{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2DCEC2C544D76BF7E8BE5FDE09B3AD8E,SHA256=B66A2AA99EF397740254CA4DDF932E5838F142C149496A8EBBD568B5E5D66CBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.144{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\pending_pings\9630e9c0-1d7f-453a-9d80-bd8649f7ab63MD5=A7C7A4AFE0552FE1E1C08F7D7B060C60,SHA256=610095526B427AC91C573CFDBCEFE64C69D0A43047832E6BBBC00719B6605A94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.037{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0163B5AEEA36FDD4561E0BCA31B92A5,SHA256=1B4C2C35951F5FB1F44F4F4F6819799E414ABFE44561D0D2D37A9C251380489D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000270855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.008{6820D070-D2F0-6322-1000-000000007402}1081608C:\Windows\system32\svchost.exe{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:32.287{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368D3C4538B326917B82157D5E8C9928,SHA256=5E0564D9FCAA0C4A5437675B54498A92E9EE2475DFD3AD6305668AC055D02655,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000270983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.166{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local57835-false142.250.190.142ord37s36-in-f14.1e100.net443https 354300x8000000000000000270982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.166{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62698- 354300x8000000000000000270981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.165{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63826- 354300x8000000000000000270980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.163{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57834- 23542300x8000000000000000270979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.680{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\permissions.sqlite-journalMD5=1A1322AAF32E64A2AE9AD81AC7427CBB,SHA256=99393AC408DE12471AC351F46E440C56BA1098B5B30396D8C1B10684F8D67654,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000270978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.467{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.467{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.467{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.466{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.466{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000270973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.466{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 354300x8000000000000000270972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.819{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local57775-false172.217.2.35atl14s78-in-f3.1e100.net443https 354300x8000000000000000270971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.490{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local62840-false142.251.32.3ord38s33-in-f3.1e100.net443https 354300x8000000000000000270970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.489{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local49341- 354300x8000000000000000270969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:30.487{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62839- 23542300x8000000000000000270968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.105{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA2884662AF7DB2287AB250EEBC9B9C,SHA256=F39EC493A3CB13815C550ED7A701905EF439759DF00F0CC4EA392206B83383A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000270967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.059{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000270966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.058{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x8000000000000000270965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.055{6820D070-D2F0-6322-1000-000000007402}1081608C:\Windows\system32\svchost.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.054{6820D070-D2F0-6322-1000-000000007402}1081608C:\Windows\system32\svchost.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.049{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000270962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.047{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000270961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.046{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000270960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.043{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000270959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.042{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.042{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.042{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000270956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.040{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000270955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.038{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000270954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.038{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000270953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.038{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000270952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.037{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000270951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.037{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x8000000000000000270950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:04:32.034{6820D070-EFF0-6322-ED08-000000007402}4396\LOCAL\cubeb-pipe-4396-79C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000270949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 15:04:32.033{6820D070-EFF0-6322-ED08-000000007402}4396\LOCAL\cubeb-pipe-4396-79C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000270948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.032{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000270947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.031{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000270946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.031{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000270945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.016{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000270944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.014{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000270943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.013{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x8000000000000000270942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:04:32.013{6820D070-EFF0-6322-ED08-000000007402}4396\gecko.4396.1572.1604693374814014249C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000270941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.013{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 17141700x8000000000000000270940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 15:04:32.013{6820D070-EFF0-6322-ED08-000000007402}4396\gecko.4396.1572.1604693374814014249C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000270939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.012{6820D070-EFF0-6322-ED08-000000007402}43961572C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000270938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:04:32.011{6820D070-EFF0-6322-ED08-000000007402}4396\chrome.4396.82.82606237C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000270937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.008{6820D070-EFF0-6322-ED08-000000007402}43963484C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000270936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:04:32.007{6820D070-EFF0-6322-ED08-000000007402}4396\gecko-crash-server-pipe.4396C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000270935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.002{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000270934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.001{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000270933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.001{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000270932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.000{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000270931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.000{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000270930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.999{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000270929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.999{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000270928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.999{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000270927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.998{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 23542300x8000000000000000167551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:33.386{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57F4DFB477BFBAF042B14A0D005E071,SHA256=A79C81A0DDDFDBAC9219EB1E1764E1C7360DF862D742DDE49E19A6E41618730F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.271{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65413-false23.11.7.183a23-11-7-183.deploy.static.akamaitechnologies.com443https 354300x8000000000000000271018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.248{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59213- 354300x8000000000000000271017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.228{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59770- 354300x8000000000000000271016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.228{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59675- 354300x8000000000000000271015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.228{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local50502- 354300x8000000000000000271014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.228{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57776- 354300x8000000000000000271013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.227{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59001- 354300x8000000000000000271012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.227{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65472- 354300x8000000000000000271011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.225{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local49783- 354300x8000000000000000271010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.223{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59303- 354300x8000000000000000271009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.223{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59123- 22542200x8000000000000000271008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.103{6820D070-EFF0-6322-ED08-000000007402}4396js.monitor.azure.com0type: 5 aijscdn2.azureedge.net;type: 5 aijscdn2.afd.azureedge.net;type: 5 firstparty-azurefd-prod.trafficmanager.net;type: 5 dual.part-0012.t-0009.t-msedge.net;type: 5 part-0012.t-0009.t-msedge.net;13.107.246.40;13.107.213.40;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000271007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.761{6820D070-EFF0-6322-ED08-000000007402}4396e13630.dscb.akamaiedge.net02600:1405:9000:2b6::353e;2600:1405:9000:2af::353e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000271006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.741{6820D070-EFF0-6322-ED08-000000007402}4396e13630.dscb.akamaiedge.net023.11.7.183;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000271005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.719{6820D070-EFF0-6322-ED08-000000007402}4396part-0012.t-0009.t-msedge.net02620:1ec:46::40;2620:1ec:bdf::40;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000271004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.718{6820D070-EFF0-6322-ED08-000000007402}4396part-0012.t-0009.t-msedge.net013.107.246.40;13.107.213.40;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000271003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.717{6820D070-EFF0-6322-ED08-000000007402}4396js.monitor.azure.com0type: 5 aijscdn2.azureedge.net;type: 5 aijscdn2.afd.azureedge.net;type: 5 firstparty-azurefd-prod.trafficmanager.net;type: 5 dual.part-0012.t-0009.t-msedge.net;type: 5 part-0012.t-0009.t-msedge.net;::ffff:13.107.213.40;::ffff:13.107.246.40;C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000271002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.662{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000271001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.374{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 734700x8000000000000000271000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.369{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D92AABEAF72AB2FB3B2E2F911477039E,SHA256=300FEBB1EFE1EECA4F535A828104A8F4AEF8FC4785A0456B2D8DA76E7EDAFC96,IMPHASH=0280A5811869EFED56B453A140477D51trueMicrosoft WindowsValid 10341000x8000000000000000270999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.345{6820D070-D2F0-6322-1000-000000007402}1081608C:\Windows\system32\svchost.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000270998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.445{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61989-false142.250.191.162ord38s30-in-f2.1e100.net443https 354300x8000000000000000270997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.444{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63194- 354300x8000000000000000270996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.444{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58065- 354300x8000000000000000270995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.442{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61988- 354300x8000000000000000270994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.387{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65412-false142.250.190.10ord37s32-in-f10.1e100.net443https 354300x8000000000000000270993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.369{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64050- 354300x8000000000000000270992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.367{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60987- 354300x8000000000000000270991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.335{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63731- 354300x8000000000000000270990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.335{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50704-false142.250.190.130ord37s36-in-f2.1e100.net443https 354300x8000000000000000270989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.334{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52655- 354300x8000000000000000270988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:31.332{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local50703- 10341000x8000000000000000270987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.109{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.104{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e76f08|C:\Program Files\Mozilla Firefox\xul.dll+e65430|C:\Program Files\Mozilla Firefox\xul.dll+42b8d36|C:\Program Files\Mozilla Firefox\xul.dll+2412b58|C:\Program Files\Mozilla Firefox\xul.dll+9b8b70|C:\Program Files\Mozilla Firefox\xul.dll+9707a1|C:\Program Files\Mozilla Firefox\xul.dll+1810d8|C:\Program Files\Mozilla Firefox\xul.dll+9bc4e5|C:\Program Files\Mozilla Firefox\xul.dll+97c5dc|C:\Program Files\Mozilla Firefox\xul.dll+97f821|C:\Program Files\Mozilla Firefox\xul.dll+97e4db|C:\Program Files\Mozilla Firefox\xul.dll+97d705|C:\Program Files\Mozilla Firefox\xul.dll+988af0|C:\Program Files\Mozilla Firefox\xul.dll+8b5b12|C:\Program Files\Mozilla Firefox\xul.dll+83635f|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb 23542300x8000000000000000270985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.090{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09144D94FC64868D7E63FBA609E5B849,SHA256=250FEB4C4589F777CD4FB12A29BE7B895B7EF18FEDACF85D37C24A10AA2742BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000270984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.074{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D41C78AF0FA5116B9F9899C5858DA0B,SHA256=2184A0F1FD6E75C759F8D725BA4911BC0227A1E52FCBB78BAA32214F8358113B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:34.429{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CE6A264106D6F3BA444C59321C1B77,SHA256=29886FAAF0D93F1EBBC966C0D23E4D91B36C34FBEE70D0245A87D5A494F7FAB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.151{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65418-false13.107.21.200-443https 354300x8000000000000000271145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.139{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58996- 354300x8000000000000000271144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.139{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52175- 354300x8000000000000000271143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.137{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local51773- 354300x8000000000000000271142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.050{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65417-false20.110.81.91-443https 22542200x8000000000000000271141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.633{6820D070-EFF0-6322-ED08-000000007402}4396dual-a-0001.a-msedge.net02620:1ec:c11::200;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000271140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.632{6820D070-EFF0-6322-ED08-000000007402}4396dual-a-0001.a-msedge.net013.107.21.200;204.79.197.200;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000271139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.027{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60052- 23542300x8000000000000000271138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.541{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAEBE40241C1D2654EFFBA601FF4200,SHA256=93A0738834CA79635E824940F58DED53661A81DA368FE7B332036AAE0AC6C656,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.512{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\permissions.sqlite-journalMD5=740354969A8F72703CC27FCFC1C89381,SHA256=F189316DCD16D65A000EC49729CDE5168696EF91D5E46C088B3DB9C44BD888A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.490{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000271135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.490{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000271134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.490{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000271133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.489{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000271132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.489{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000271131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.489{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 354300x8000000000000000271130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.633{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65414-false13.107.213.40-443https 354300x8000000000000000271129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.631{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65415-false13.107.246.40-443https 354300x8000000000000000271128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.627{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65416-false10.0.1.12-8000- 354300x8000000000000000271127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.609{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52217- 354300x8000000000000000271126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.586{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64871- 354300x8000000000000000271125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:32.586{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63126- 23542300x8000000000000000271124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.277{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22890989687A430E71940BD36791B598,SHA256=B5840C26645F7E867E5DF3D6F9E968D356B65F2789DB2870D8729F63427D4EF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000271123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.185{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000271122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.185{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x8000000000000000271121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.182{6820D070-D2F0-6322-1000-000000007402}1081608C:\Windows\system32\svchost.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.181{6820D070-D2F0-6322-1000-000000007402}1081608C:\Windows\system32\svchost.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.178{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000271118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.177{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000271117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.176{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000271116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.173{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000271115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.173{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.173{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.172{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000271112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.171{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000271111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.169{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000271110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.169{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000271109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.168{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000271108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.168{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000271107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.168{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x8000000000000000271106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:04:34.164{6820D070-EFF0-6322-ED08-000000007402}4396\LOCAL\cubeb-pipe-4396-80C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000271105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 15:04:34.164{6820D070-EFF0-6322-ED08-000000007402}4396\LOCAL\cubeb-pipe-4396-80C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000271104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.162{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000271103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.162{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000271102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.161{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000271101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.149{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.148{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000271099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.147{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x8000000000000000271098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:04:34.147{6820D070-EFF0-6322-ED08-000000007402}4396\gecko.4396.1572.4375095406950277536C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000271097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 15:04:34.147{6820D070-EFF0-6322-ED08-000000007402}4396\gecko.4396.1572.4375095406950277536C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000271096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.146{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000271095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.146{6820D070-EFF0-6322-ED08-000000007402}43961572C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000271094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:04:34.145{6820D070-EFF0-6322-ED08-000000007402}4396\chrome.4396.83.122734724C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000271093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.143{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21883A2AF6A44B9F147B76CEED72E158,SHA256=567940D1512FEA95D0A02586F80669FBB4E70696E5384CA117DBD6FFA4C0B279,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.142{6820D070-EFF0-6322-ED08-000000007402}43963484C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000271091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:04:34.141{6820D070-EFF0-6322-ED08-000000007402}4396\gecko-crash-server-pipe.4396C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000271090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.137{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000271089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.137{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000271088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.136{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000271087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.136{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000271086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.136{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000271085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.136{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000271084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.135{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000271083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.135{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000271082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.135{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000271081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.134{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000271080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.133{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000271079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.133{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000271078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.132{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000271077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.132{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000271076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.132{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000271075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.132{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000271074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.131{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000271073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.130{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000271072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.129{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000271071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.129{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000271070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.129{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.128{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000271068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.127{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000271067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.127{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000271066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.125{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000271065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.125{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000271064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.124{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000271063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.124{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000271062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.124{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000271061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.123{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000271060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.123{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000271059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.121{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000271058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.121{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000271057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.120{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+e75602|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.120{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.120{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000271054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.120{6820D070-EFF0-6322-ED08-000000007402}43961572C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.114{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.114{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.114{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.114{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.114{6820D070-DD00-6322-5E06-000000007402}34204672C:\Windows\system32\csrss.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000271048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.113{6820D070-EFF0-6322-ED08-000000007402}43961208C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000271047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.113{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4396.83.1227347244\1595453121" -childID 81 -isForBrowser -prefsHandle 6616 -prefMapHandle 5444 -prefsLen 34176 -prefMapSize 229452 -jsInitHandle 1016 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4396 "\\.\pipe\gecko-crash-server-pipe.4396" 5624 184fc14d048 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-DD02-6322-1C5A-600000000000}0x605a1c2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000271046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.112{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.112{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.112{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.111{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.111{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.111{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.111{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.111{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.111{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.111{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.110{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.110{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.110{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.110{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.110{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.110{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.109{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.109{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.109{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.109{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.109{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.109{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.109{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.108{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.108{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.108{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000271020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 15:04:34.106{6820D070-EFF0-6322-ED08-000000007402}4396\chrome.4396.83.122734724C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000167553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:35.512{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99A69F9E3759033D96E09BB1182FAB6,SHA256=B897EF91166AD38171256B5B5557697A36AA45F89A39AE49668682C369C8246A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.968{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65419-false52.182.141.63-443https 354300x8000000000000000271153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.928{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65512- 354300x8000000000000000271152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.928{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59687- 354300x8000000000000000271151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:33.926{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65092- 22542200x8000000000000000271150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.434{6820D070-EFF0-6322-ED08-000000007402}4396onedscolprdcus01.centralus.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000271149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:34.421{6820D070-EFF0-6322-ED08-000000007402}4396onedscolprdcus01.centralus.cloudapp.azure.com052.182.141.63;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000271148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:35.827{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\4617MD5=87406962D14A0D4CE32DBA91DB7A3F6B,SHA256=7203F3A095F1B75EE2FE133F1B6FB75B97ECED0A7D51016F20D0AFCE90DFD2C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:35.148{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B6B1419C7BE0B5262F44DCD171E9EC,SHA256=CE988B893960916A400D3CD53FCE47F5C99F7850ADC0C711AAE425E83BDAEBE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:36.628{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667B77E7C24864036C8383A20072CB35,SHA256=407601AF6F80E43798FF309031577CBE3EF0D4B1098E3F6E50AF25635FD0AF48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:36.660{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=B7ECD9A177C7101FC3A5C5F8D647AB98,SHA256=5730726BF5293005ADA2838D48E18571CB423076E9EB3361EBD70022B2C964DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:36.653{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\default\https+++www.google.com\ls\usageMD5=E3325F18C820BFAC0B6EFD0254F734C0,SHA256=A5AD83109209C86839EE54F3D792D9C0F852CEF8EF88FA1569886D34E1D43260,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:36.461{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA73C7D0701CAE107EAB5F51CC9FB29,SHA256=06134DB1AA25AC47ABF2D782ABE3DEEA037B39AB2B74FF40E3CA96E54149101A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:33.952{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55306-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:36.185{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=DFE2DC07107E0DAC8E1C3143073C439B,SHA256=1DA12A56BCE7B4C17434EB93C78706B827464928B219E2789185C048182EBA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:37.567{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54711DCC734D6AB017C8F3C3A267AE15,SHA256=49FD7C18EA66E9398707BB0892E2809D1798D7CEDD1D97FB659D62A666F546C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:37.996{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:37.991{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:37.985{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:37.978{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:37.969{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:37.960{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:37.957{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 23542300x8000000000000000167557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:37.753{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB94A7B5DF88C0233A33A407DB2093E,SHA256=EE13805FE25535E434038F43A1037B14827FB60D2E26CA746D1C92ED7908CFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:38.572{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50C5A70A53A8BE3CB4A2911F9295CD3,SHA256=50A111284E05CB9D0470BEB52625F14C9BA84A0708BE47E173E9E15799B6F6EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.853{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FA103844D60FE553B0BCC6E3F48B7E,SHA256=727F2805F5B8CA9790FF817DC6B436FEAE0C062068142C3130A5B776C599983C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.603{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0470BB9C94E6C8CB49AA963C3A3F6D3C,SHA256=C64DA2405FA74DB31971CF8DFA56E3B19E021225256405AA7CB1928EED06F6E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.352{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 354300x8000000000000000271159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:35.312{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63764- 10341000x8000000000000000167606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.350{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.346{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.343{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.341{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.322{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.317{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.317{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.313{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.313{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.310{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.307{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.299{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.297{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.276{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.259{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.246{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.209{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.203{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.190{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.180{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.176{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.172{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.169{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.167{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.161{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.159{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.157{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.155{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.153{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.149{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.146{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.135{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.132{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.129{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.117{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.114{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.086{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.076{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.041{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.033{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.023{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.011{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 23542300x8000000000000000167610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:39.868{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BDBFF8AE2CE811EF7099160A2D903B1,SHA256=64CB944009C20618EBBF050F972747D4DBEFB3F10AA5B74904475B29834F8AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:39.678{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F0B1B3CA1009EF7F6DF4C0FDF9FA31,SHA256=AF0D05E2ACA29CFC6C5D7AF5FA2E518103BABCF98B216B83B09E952BAB9F88E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000271163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:37.013{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local50810- 354300x8000000000000000271162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:37.013{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59630- 354300x8000000000000000271161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:37.011{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local51177- 23542300x8000000000000000167612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:40.968{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFAD01CEC7A7901DD1A355B6A574CDD1,SHA256=18B1A32E674457B5F2429D3E7CC1E5FF4D16CE486C40978159D98DDC5185C755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:40.783{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2163F3380F876D8CBF06D0535DBE4F,SHA256=1873E36AF8DEBF044A40D558A52299C39705A8F0C6E3C53A8FFDB58394735B5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:40.227{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=839F91F84E0C52CEC20E55C04D8C1F8B,SHA256=101EDCFAE97780D93990770FDAD6A7A7B2838A33E4E6F5E3DBCB9482965078DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:37.651{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65420-false10.0.1.12-8000- 23542300x8000000000000000271169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:41.889{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9FCCF9D1A9A9708298E8B50822E388,SHA256=049A7849EBAADD4F8896BD9C169928628307477234A62CAB54F02C22594D795D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:38.975{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55307-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000271168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:38.722{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64833- 354300x8000000000000000271167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:38.716{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64717- 23542300x8000000000000000271170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:42.993{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC6B9B4CD1EB60BB597CC0237864ED6,SHA256=0C291516654B0B9D10BEACD500AC23DACE8A681824D50E1355ADD57E3898B715,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.383{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:42.083{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D7BF5C9F8043390FF250EB6310B004,SHA256=C285F25F7869082B7D42F1D4586D4A4F037D22ECB50E569D75F04E0A4A6BA384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:43.399{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94420B7C8057946074697E4E059D6572,SHA256=79C98954E28787A7DF80E0B64B9FB14F13D60263B40CC03D8A900A33D0B43300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:44.535{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA56A78B4B2C5BEDDBE2956B09A7686,SHA256=CF6DD884A290BA5809FCF7EA6ADE256D496BAC5EDFAEF9947DBF301A6FEC70FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:42.691{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65421-false10.0.1.12-8000- 23542300x8000000000000000271171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:44.301{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E0FBF783011C8C230F64A15EB4B2FE,SHA256=27E621B5048862A4BC54BFA899578E5627165A258188BA9D4D8BDC1F67A1038F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:45.651{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA6231F157310D7CF1B6B8057A05EF9,SHA256=42DB813469DF9610632740F7B86FD0795D6279E87952BDFC9B62DF582BBA910F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.676{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.674{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000271194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.416{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF8368CD7915F47DFB3BBC597186B09,SHA256=0B07FB9224F0AA3CD5298663E6B9E4997FC671882DC3CFA096753EF4180A2ABF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.281{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.275{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.267{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.262{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.256{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.253{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.251{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.249{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.240{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.212{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.195{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.186{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.177{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.169{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.161{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.151{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.142{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.131{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.124{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.087{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.083{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000167649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:46.782{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569CF3DD15CF57F875F8A23F0F0D1C19,SHA256=EEC76470ED02FD073E6A341AD00635FC12F1B6B7575D9ED795D8EEF5B86D7801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:46.623{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B706CBADAB844EE3CE43591F0CAE841,SHA256=6173AD930357D536239C18C154B2F035A999FDD25F75506BE8F2734A37680439,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:46.429{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=3D477CE1D4B044368CAEE055BE4F72C6,SHA256=81A37DA5B97958F5FBFB9AFF975931C554A6114A02B42FF9A4927C359E40074A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:46.009{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:46.008{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:47.881{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2FD8E9C287DE0690FEF9975ABD0C94,SHA256=34E96AC51F01E064BF33022C2489D5D4CEA4C92FC8F405A841F2E6DA68A621B0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000271214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:47.748{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000271213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:47.739{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000271212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:47.737{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000271211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:47.734{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000271210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:47.732{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000271209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:47.728{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 23542300x8000000000000000271208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:47.728{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC32771E508442CAADCC7A41B724A93B,SHA256=3E588DFC195A9403106AC13988AF71AB3BB0C349103F25096B877C4C1D404272,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:47.722{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:47.686{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:47.685{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000167658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:47.803{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F0F-6323-680F-000000007502}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:47.802{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:47.802{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:47.801{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:47.801{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:47.801{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-3F0F-6323-680F-000000007502}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:47.800{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F0F-6323-680F-000000007502}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:47.799{E743DC12-3F0F-6323-680F-000000007502}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000167650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:44.983{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55308-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000271204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:47.679{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:47.677{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 354300x8000000000000000271202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.483{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local65422-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000271201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:45.483{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local65422-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 10341000x8000000000000000167679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.983{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F10-6323-6A0F-000000007502}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.983{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.983{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.983{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.983{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.983{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-3F10-6323-6A0F-000000007502}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.983{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F10-6323-6A0F-000000007502}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.984{E743DC12-3F10-6323-6A0F-000000007502}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.952{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD803BB8C3DF0329C6B12CC7F73FE5E7,SHA256=5C8FECA8B79DB0E0AD71A17EE806D5836495B15D4D83747C9C7F96F2AB4BFDF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.899{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=337BD0AA717CD7F3BDCF9F7BF7E6EE8B,SHA256=048DD5BBEB8E03B962EAAFDD3241C95FFC332477C39D147D4563D1609284DCB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.787{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74BF0A9CA4085A756DBAD21BC373C39,SHA256=CBC62074ABEA1D9E86121F60A25C7A229A6FB52B63D9DEC65C14277EBF55CE52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.786{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3B2604564661DE9FEA4B3D8A8A93AA,SHA256=6C9FA6AA4C5E4BEE9D64066E8FD1D07361189A3A5CAB10AB165EC1921F43C672,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.730{6820D070-D2F0-6322-0D00-000000007402}908652C:\Windows\system32\svchost.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.549{E743DC12-3F10-6323-690F-000000007502}41123676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.366{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F10-6323-690F-000000007502}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.366{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.366{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.366{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.366{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.366{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3F10-6323-690F-000000007502}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.366{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F10-6323-690F-000000007502}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.367{E743DC12-3F10-6323-690F-000000007502}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:48.274{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=17A2586075776CB712FD6A5F431D1FAC,SHA256=847F2D5C35BFE85B510FF79BDF0F9151FEFE7E755E1F6200DE3B2011607DF53A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.484{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.482{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.478{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.476{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.474{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.469{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.468{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.448{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.445{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.442{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.439{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.435{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.431{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.426{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.423{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.419{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.415{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.414{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.413{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.411{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.395{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.393{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.391{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.389{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.379{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.378{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.375{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.373{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.366{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.365{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.365{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.359{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.356{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.347{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.345{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.312{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.311{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.285{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.275{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.235{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.226{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.215{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.209{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.207{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.204{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.201{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.198{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.197{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.194{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.192{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000271215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.190{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000271269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:49.794{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8516CFF9A10C0CDCC0F675C87E105EAE,SHA256=8A87540D66A63AA0B71785D97B348365450E88028C39F2B51975360A286B73F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:49.811{E743DC12-3F11-6323-6B0F-000000007502}52085700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:49.651{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F11-6323-6B0F-000000007502}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:49.651{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:49.651{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:49.651{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:49.651{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:49.651{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-3F11-6323-6B0F-000000007502}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:49.651{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F11-6323-6B0F-000000007502}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:49.652{E743DC12-3F11-6323-6B0F-000000007502}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000167680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:49.155{E743DC12-3F10-6323-6A0F-000000007502}44883052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000271270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:48.547{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65423-false10.0.1.12-8000- 23542300x8000000000000000167699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:50.414{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-439MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:50.328{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F12-6323-6C0F-000000007502}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:50.328{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:50.328{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:50.328{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:50.328{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3F12-6323-6C0F-000000007502}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:50.328{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:50.328{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F12-6323-6C0F-000000007502}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:50.329{E743DC12-3F12-6323-6C0F-000000007502}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:50.010{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC9C50FC5A6EB87AC2CDFA9AAE9F4CE,SHA256=6A8AAAF55BAB1BF450B184A0D502A4C81987A63C836FEA6DDA39C72D82D0B949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:51.099{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B297A55243F365BC3DDC64095800F7,SHA256=30AC1578E9F8F498EF35ABBBBF4669997A256D434BFD263549F1223961F0BF2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.869{E743DC12-3F13-6323-6E0F-000000007502}53204592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.670{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F13-6323-6E0F-000000007502}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.670{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.670{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.670{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.670{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.670{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-3F13-6323-6E0F-000000007502}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.670{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F13-6323-6E0F-000000007502}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.672{E743DC12-3F13-6323-6E0F-000000007502}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.411{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-440MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.271{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=89643F8886186E6F6AB601955EFC140E,SHA256=46955ACBF4DB56497B23D5B7F570C702C5EF2CB6F2061E894E3B3E36337FF621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.069{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36946B3EA8A3BB0DFAC03E558D3436D7,SHA256=0763BB2F0DD246B0CA304106217B5493E26478BCA61EC6CF75BDE03E0FA115B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.007{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F13-6323-6D0F-000000007502}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.005{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.005{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.005{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.004{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.004{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-3F13-6323-6D0F-000000007502}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.004{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F13-6323-6D0F-000000007502}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:51.002{E743DC12-3F13-6323-6D0F-000000007502}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:52.205{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9930E6CBB1D4082212C2007D896543E3,SHA256=6BD516394C10DA1C517E29B241DD908A003EC5DB1A539470B4BD68382CAA5150,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:50.027{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55309-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:52.130{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1826301501835B2156A49E09F6203EFA,SHA256=635FFC97ABFA2DA28DE0DDB49B278AAFB3906A6E0F3DA296324670A958C9AEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:53.214{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19485EFF3C5F48D0C8019B2F4C08173,SHA256=45192808AB50B8A21C2BB0E17FED8760F9D90611480F1EAD277823CCE497FB19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:53.911{6820D070-DD04-6322-7906-000000007402}26568088C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:53.911{6820D070-DD04-6322-7906-000000007402}26568088C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:53.910{6820D070-DD04-6322-7906-000000007402}26568088C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:53.906{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:53.905{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:53.905{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:53.905{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000271274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:53.618{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=24221582B0A929C09EF2F1EE325C2140,SHA256=32A7ED08799D291B79A6E8AC7D28C49BF983CA46D5520ED738B29994C8930B11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:53.309{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96564604BAE20612F77C488EFED62E58,SHA256=E78CFB630EA12A825038939912D33FF09D03F313C7E84420DC6AF75A49EC9559,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:54.694{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:54.694{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:54.351{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:54.351{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000271282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:54.318{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44CDC9D521D19AD63BDE49B69FE78FA4,SHA256=8A3318A69C868798ECCBAC0E64C392C5222248F616C053943436AD61DAEE6663,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:54.234{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30C6943072A51EA66299DEE7371670F,SHA256=661AC84EC89DA810619AF813797D385760241EEA925EAD13A56CDCB915A58185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:55.424{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B84F6CF5EDF34AC9E362D0E4553221,SHA256=86E4F64953D47C7A6A2F0CE05D62E494D0B5FC80C8A7FDE2AD0A8CA97C607350,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000271287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:53.668{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65424-false10.0.1.12-8000- 23542300x8000000000000000167724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:55.291{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B119470CA98AD59D3CDC2B31B761CFE,SHA256=0869045FBF14F82917459C008A514734EF98E64A436EDDFF7683B9E2D4A511E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:56.428{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9969CC61D872C200ED16FE94E3A35BF,SHA256=1870A14295A6BE934A658E36EE84F600DAD8D2C4A13A9DE9912443EDFE7A4F86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:56.346{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D36F1D7FB8C11A6A5239FCB05BDE0B,SHA256=6703EEA2ED452B883DB71E56994FEC9B190ADB05628A0ED7EC3275F2A6DD8BD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:57.998{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:57.993{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:57.985{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:57.978{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:57.969{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:57.961{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:57.958{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 354300x8000000000000000167727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:55.109{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55310-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:57.412{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7A478E96A619B087EFDFA76C5F9C4E,SHA256=16ADDA0439DB098CA1D5FE4C4A8EDABE10CD28B596DDF586C75D340AC78EE2C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:57.433{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007E50A4181237A4D412EA10C8C3E13D,SHA256=1349BC1B9424EA7A465B707B988DA7ECE1111F14AD6F4EE12AF2A652B2E8E1F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000271291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:55.449{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63574- 354300x8000000000000000271290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:55.446{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58719- 23542300x8000000000000000271293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:58.440{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E8C9E5E4EB64F18BA48FE08F8C9790,SHA256=428E10017DF232EF355E792CD36D86DB02C325471C98CFBBA04BE4E2A73B301E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.865{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E81AD6E6CE70B90FB362F3BD87918CA,SHA256=66B8167F0B46F48B5D1B2720EF2562184C44CBB4CE200C24BEE5C98D5FCAE864,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.398{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.394{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.391{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.388{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.385{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.368{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.366{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.366{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.362{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.357{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.353{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.346{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.335{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.333{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.312{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.299{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.283{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.243{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.231{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.211{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.203{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.197{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.195{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.189{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.186{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.179{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.176{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.175{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.171{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.169{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.167{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.165{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.155{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.151{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.143{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.134{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.130{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.108{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.094{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.054{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.045{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.034{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 10341000x8000000000000000167735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:58.022{E743DC12-DCF5-6322-7D03-000000007502}55365816C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000170515D0) 23542300x8000000000000000167779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:04:59.916{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3137E8FB7607EC19AC30B84C68542A78,SHA256=30B967C6D67355AFCEE43DB282FEC0B5ACB75D1495FE3FF07AEB01A4A4CADF82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:59.549{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5131D1D1947E6413732806F00CA55501,SHA256=82B93D76213670E61CFAF9C5863DDE34169D8F08887AB89C0401BD4C9A1FD37C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:00.972{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B7BAC26F0320CBEAC867A818EB7790,SHA256=38AEE40522F360235B3678B2F029C7B2639DBF539BE001FC242F821A85D88A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:00.858{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E2C8FAD4DB4E35E1916BC3AE98D4A5,SHA256=E2404FDFF9B7DAB13C55E6A5DD8913557B796E1C5C5657D361E8FA96AEDD22E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:01.968{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE8CD5C1269E3095559173436E26AE0E,SHA256=02AA630CF38B2AD3618FDCE3B58DD5CB68349CC6C6C9F82FAB0C458C0BA0104E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000271297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:04:59.622{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65425-false10.0.1.12-8000- 23542300x8000000000000000167781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:02.005{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6012EF81A8A2FD4BF8DA291CE334535,SHA256=94AE8B88AF3F7F5E169A890D7C5A0F38CA4A077BAF316ED1D05EC34749F5FF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:03.179{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A9CD53F3355D12B1172AD8ECB34B3B,SHA256=D64B4E8AF87010F5093054CD58C5F830228C8EC4106BA6CE8CE89A8FECB826C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:00.972{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55311-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:03.080{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18AD40E8FF3E012B1F0DA9594925764,SHA256=01A0A8096984D99D6D8DA02DBA93193969C6131401EC57184BB2F8C99934AE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:04.430{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=364FB34640B45656431C6B77D99DBF56,SHA256=85D08C9E88DED6BA43B1D3E97B0768E1B20CAC5FD93FF84BAAA82B68866B113D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:04.288{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B91612501FE880C6139A29511B4A1E0,SHA256=8EF1F60609E04880194E29446DD6F14992384BEEB0DA27185045338BCF007EA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:04.131{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EDA6F37D306AA0DDA4BC5D040A9D6FB,SHA256=69C66B3E3DC5EA863AE49C0CDE5F99A7B70C24E73E7EF6F55C2E74848B439296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.706{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.704{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 354300x8000000000000000271324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:02.714{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65426-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000271323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:02.714{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65426-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000271322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.408{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7848FF79B75AB579ECE56B9F8811B30D,SHA256=9EA9EBADFC8892F3FA30A4230CB122381CF65150D867AB2084FB5400712061D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:05.161{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49433F5C8B49A569369EABD1488F6E1,SHA256=9392CBF017124ADCFB30AB82BBA43891A8CCF4B78F8240F666CD3F91F407F08E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.262{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.253{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.241{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.231{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.218{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.212{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.210{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.208{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.202{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.171{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.156{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.148{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.138{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.133{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.129{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.125{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.118{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.107{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.100{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.068{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:05.066{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 354300x8000000000000000271331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:04.656{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65427-false10.0.1.12-8000- 23542300x8000000000000000271330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:06.419{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C0CA5A035B8ED28B534EFD587E303E,SHA256=A29CBC25E4904B06BFE71EC8E9B2460FCA3116E5C5BCE490C7EB75CA9B123A02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:06.488{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=54D56E816655D6AF23CB44C1FA015374,SHA256=4703217C7E2A7173DEF88CF2CF4E794D185BAA63D0F73AC3ECD58F725CDF4BD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:06.247{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\aborted-session-pingMD5=B52CAE7C8B4F71844345441D1ED5E603,SHA256=F2C631EEE85CDBB6EB69A399DFCAD6616DD010606BECD14CD8EE403B6277CC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:06.218{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CB67E4275BEB621EF04550BC5475CB,SHA256=6F8C5E7FBA96D8681344CFF061600CC2383782C317AE99B0B221F2DCE2498C05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:06.216{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:06.205{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:06.205{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:07.289{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBB9165E3EF6A709DE6A6BF144EE030,SHA256=2CF3876E64171DEC47C84CFC486458D44210D2AB405CE4F736E685C1A9D6CF58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:07.719{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:07.718{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:07.711{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:07.709{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000271332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:07.628{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97516753CFA7BA4A52C2BF94C5E10B6,SHA256=0F3731877B8E00214CF266B0C3C75CA0FEA63B8A689A03993894300A04DA564D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.674{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9173B44940BFD6399CBFFDDE04E2F3F7,SHA256=002B79FD75DA085D251C1B83F7645285FD62E3632005DCF5958AA87D1EF73F7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:08.321{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9CF0B611333F14C1C3A407C318DC3D,SHA256=E7C15B25190B080146F9212FB61CA2F9BB309F887F1FF577F37BE6BA50A0A7B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.621{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CCC534B2A812C31EFE27940C2561A82,SHA256=C9D35FE0D95D35C2E90AD2BA460AA24314BA27E65DC6BE633C87ACA9F148CC37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.503{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.501{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.496{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.495{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.493{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.488{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.487{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.469{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.466{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.461{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.458{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.456{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.452{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.448{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.444{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.439{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.437{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.436{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.436{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.435{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.422{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.421{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.418{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.416{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.407{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.406{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.403{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.400{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.396{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.394{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.394{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.388{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.384{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.374{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.372{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.342{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.339{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.314{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.306{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.264{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.257{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.246{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.241{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.240{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.237{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.234{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.231{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.229{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.226{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.225{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:08.223{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000271444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.843{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C93D42C36B6EEFD67EAA917683263B2,SHA256=1BEA8E6824FFC9DCE39BA467A16E84AEDD70CC66BD67A7FD5C9422824E3F654C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000167792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:06.937{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55312-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:09.368{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96F4BC192629D3195C080241697E754,SHA256=CC50D0FCDECDA3AC87054717160DC2D1F017B07BD72CBC3E2BC3FD2979889E0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.720{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.720{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.720{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.720{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.720{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000271391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.683{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A568FE63F945078F71FF5B97B8C77FB,SHA256=54571DAD50085A8E5ABAFE011F61B90829C0A9430023D248640742649E109A87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:09.039{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-449MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:10.707{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE3F1EB3A7BC610DF564627B58A4A3C,SHA256=7F8F3F7F40B87601A05EB1EACED9A3838A5DD2DEF2E113F6DC54AD34401505C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:10.416{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C9CA0FB87A110F7C74D8E70F0D644D,SHA256=FDD9B4F155412C1EF7ABB9CC3122D79A413A149C150FC82DE6FF821D8CB8E851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:10.037{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-450MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:11.817{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC312DF08952998645DEE6854A488AE,SHA256=ACB5B74534E780BC8C1F56167BEF13705546D22ED0F76E68CB8CC765CF286781,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:11.499{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=BE700AC3C7D8A81BD25DB22C48C277CA,SHA256=4216A260A345C66D58CC675DB942BB27747FDEF100A5DB53CAC703DFA3173F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:11.459{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD70B31D57A1971B825F4B4459025FCF,SHA256=B2FDCED24ABE38136B4FC11A1F862D4FFC55724DD23586E1A03D20CAD186F6F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:12.925{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD5117B35AD338E6AAA1EAC4B602D2C,SHA256=8233F87F53297B25E96C6189E0DC7F27C0669D8C6196FE49D11DF3F3D57827A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:12.501{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1E51B0838F718702EEA0994461B071,SHA256=3892A8FC213C7235E643D779422E77EC100A3D81FFA1C7ACB47535021F4F0C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:13.624{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB15E4280D33F776E56ED5B2065AC30,SHA256=806FD76C39BB0700A192EDF46365BBCF77B3953F5A2012BEFA32C7645398A183,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:10.602{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65428-false10.0.1.12-8000- 23542300x8000000000000000167798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:14.689{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F30A69848F84EC65BEA4514EFD4FB5E,SHA256=FEE6EF9EC9D4FEA245A36B3C51ADCCB42F94582C15E3D82B4E19AAB4BD69774E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:14.144{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FC61D73CF096750583A8AEB17310A0,SHA256=B16B7B4BF7F01DBDA9E8BD03782DCE3411335A7803CB167AA39FBF8D274E25C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:12.951{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55313-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:15.730{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F27FFC6D3E7F57C8CA17B695936C1A,SHA256=2F77DCEED7EA11A82C9690938E4BD00C9DD4736FC22CA724056505639D01A395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:15.365{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144C881E6A67EEFA2E31826ECCB5846B,SHA256=F5F7D1062184E0C6A1CED66EC2301596C56612EB69A93F0730417C265EADF953,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:15.310{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:15.309{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:15.309{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:15.305{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:15.305{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:15.305{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:15.305{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:16.801{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B120F9F7AA5CBB29A30726D917E1EEF,SHA256=4AC4CB523231FEC7BCCF38CB6F092DB6C19A077E6728C87006B97534F7EBDCAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:16.372{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6088817E876CBB4E129900A2E8E578FA,SHA256=F49ED674ACBA5D63371E6C77EB2CF5F7F72E85832574B174DE14F83AF277E6B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:16.547{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=2C4C76DCD8A37C65692E0C6A0CB176DC,SHA256=1BB4B572DA4BDA35027A261E27CE13E10930B0C5ACC54D544B197E8867C1CB60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:16.531{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=9C92FD17EBE63BF50640C0FB5AF8A500,SHA256=8BA655AFFA75A615F01F5E61F72CBD79EFD8DDAD2A1F9D859F5BD9B29E3B472F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:17.948{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:17.683{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:17.683{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:17.674{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:17.674{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000271460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:17.487{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC6BD926078CB25F54B4E9EC0AE6062,SHA256=954DD504806079E9F956D17B5047EF0BB99F06DD45E183D3EEAC958DE167400E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:17.997{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:17.987{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:17.974{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:17.971{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000167804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:17.834{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B00D1E0D15211D70F8222B30C53242,SHA256=354E227AD958818744651F1DDF0F2EB9A87183EE9A356DE5BF723757705748E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.896{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1B8B85B393738DCFDEE3614A27F025,SHA256=E20799EA8EB6C7AF1CDF1273655FF84ACBF2BC8488941F6E44EC3D335445B49A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000271581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.940{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000271580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.940{6820D070-3F2E-6323-5118-000000007402}65203844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.940{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000271578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.936{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000271577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.708{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000271576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.706{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000271575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.705{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000271574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.703{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000271573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.701{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000271572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.701{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000271571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.700{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000271570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.699{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000271569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.693{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000271568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.692{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000271567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.692{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000271566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.692{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000271565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.692{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000271564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.691{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000271563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.691{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000271562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.691{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000271561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.691{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.690{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000271559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.690{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000271558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.690{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000271557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.690{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000271556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.690{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000271555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.689{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000271554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.689{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000271553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.687{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000271552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.686{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000271551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.685{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000271550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.685{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000271549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.685{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000271548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.685{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000271547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.684{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000271546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.684{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000271545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.684{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000271544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.684{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000271543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.683{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000271542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.682{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.681{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000271540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.681{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000271539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.680{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.680{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000271537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.678{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000271536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.675{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.675{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.675{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.675{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.675{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000271531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.674{6820D070-3F2E-6323-5118-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.627{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52BE8E6210E1319975ECCB2CC02DFC4,SHA256=554B81E79197C7FB6065E17C389A61B9F0C47CC614DC16B4C9979B1D2D55FE88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.368{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA95564750B17D5C633D3BBA558C0502,SHA256=814EA8FA1C64DD930F5ADF9D09743458EE4C48CD6A5AF62B44403C2743BA0493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.270{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000271529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.504{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6CDBE109E303F670EA439A9A193B3F,SHA256=DA6776485FEC4556D33C60F1DD22E3AFD9E6C839CB1818A98E7AA8E143A1E4BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.502{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=770EBD9BEAF5039C2C5D61A9C77D8897,SHA256=D484EDE5ECCF6B34198EC86114CEA3B0E03330F1CDD2C3BC13FBE0C1F128C7FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000271527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:16.515{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65429-false10.0.1.12-8000- 734700x8000000000000000271526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.437{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000271525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.434{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000271524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.434{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000271523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.244{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000271522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.244{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000271521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.240{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000271520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.238{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000271519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.235{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000271518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.235{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 734700x8000000000000000271517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.183{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000271516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.182{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000271515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.181{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000271514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.180{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000271513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.177{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000271512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.177{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000271511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.176{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000271510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.176{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000271509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.169{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000271508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.169{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000271507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.168{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000271506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.168{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000271505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.168{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000271504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.167{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000271503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.167{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000271502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.167{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000271501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.167{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000271500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.167{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000271499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.167{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000271498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.167{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000271497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.166{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000271496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.166{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000271495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.166{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000271494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.166{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000271493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.166{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.166{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000271491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.166{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000271490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.166{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000271489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.166{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000271488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.165{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000271487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.165{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000271486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.165{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000271485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.165{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000271484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.165{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000271483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.165{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000271482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.164{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000271481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.164{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000271480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.163{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000271479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.163{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000271478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.163{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000271477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.162{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.162{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000271475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.161{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000271474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.161{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.161{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000271472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.160{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.160{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.160{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.160{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.160{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000271467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.159{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000271466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:18.157{6820D070-3F2E-6323-5018-000000007402}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000167853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.267{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.265{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.262{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.261{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.250{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.249{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.249{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.245{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.243{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.240{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.238{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.231{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.228{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.212{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.201{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.192{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.170{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.162{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.152{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.148{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.147{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.145{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.142{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.141{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.138{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.136{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.135{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.132{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.131{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.130{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.127{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.123{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.121{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.117{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.111{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.109{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.097{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.085{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.056{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.048{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.038{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.029{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.017{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.011{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000167809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.005{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000167857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:19.948{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA41A737047858769578B260E6EED2A9,SHA256=8C8CFF19581282F8EC049FF0D0064411880BE70BDC36BC0ACD07981621C1A451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.695{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F76BAE7CA6CF60291E6A40907ED507,SHA256=8C663A7E3C050FF809C4330D38214BB99E7F3D586DCF615FDA591774A6C92FC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.659{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31087C2F304BEF3EFAE8FF1792867BB,SHA256=251F9D5994F9234F02556769707167D849C2934469AA8BA795DCF697DD97BA00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000271637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.655{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000271636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.651{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000271635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.648{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000271634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.471{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000271633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.471{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000271632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.470{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000271631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.469{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000271630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.467{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000271629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.467{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000271628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.467{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000271627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.460{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000271626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.460{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000271625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.459{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000271624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.459{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000271623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.459{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000271622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.459{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000271621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.458{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000271620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.458{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000271619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.458{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000271618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.458{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000271617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.458{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000271616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.458{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000271615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.458{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000271614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.458{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000271613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.457{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000271612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.457{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 354300x8000000000000000271611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:17.406{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65430-false10.0.1.12-8089- 354300x8000000000000000271610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:16.841{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61679- 354300x8000000000000000271609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:16.841{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64931- 734700x8000000000000000271608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.457{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 354300x8000000000000000271607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:16.840{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61186- 734700x8000000000000000271606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.457{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000271605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.457{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000271604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.457{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000271603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.457{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000271602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.456{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000271601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.456{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000271600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.456{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000271599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.455{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000271598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.455{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000271597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.455{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000271596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.454{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.454{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000271594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.453{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.453{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000271592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.452{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000271591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.451{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.451{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000271589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.451{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.451{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.451{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.450{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.450{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000271584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.450{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000271583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.449{6820D070-3F2F-6323-5218-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:19.344{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DD7EA73D907B0BDB459A6E682F14627,SHA256=C48A759ED2BD577650C5862543C8E8569CD2857705D71F0788E483CC7F1CA0F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:20.984{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C405FE21B43D2DBF06AD545845F846A6,SHA256=8CB3AF6FE855580360324CE2F0CF8ADBA708684E1E1B493BA862207200771C7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.954{6820D070-3F30-6323-5418-000000007402}55121016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.954{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000271740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.953{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000271739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.772{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000271738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.772{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000271737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.771{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000271736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.770{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000271735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.764{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000271734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.763{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000271733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.761{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000271732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.760{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000271731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.748{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000271730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.748{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000271729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.748{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000271728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.747{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000271727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.747{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000271726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.747{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000271725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.747{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000271724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.747{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000271723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.747{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000271722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.747{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000271721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.746{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000271720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.746{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000271719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.746{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000271718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.744{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000271717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.744{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000271716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.744{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000271715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.744{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000271714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.744{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000271713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.744{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000271712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.743{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000271711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.738{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000271710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.737{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000271709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.737{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000271708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.737{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000271707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.737{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000271706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.736{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000271705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.735{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.735{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000271703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.728{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.726{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000271701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.725{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000271700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.725{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.724{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000271698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.724{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.724{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.724{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.724{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.724{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000271693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.724{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19595C222BAE9134B65B2CFC287F4AC0,SHA256=686D42B0F27A32C900B17E2271378E1D26CA90997BD5C24046E61AD793D0EA59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.720{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000271691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.722{6820D070-3F30-6323-5418-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000167861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:20.372{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:20.371{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:20.371{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:20.356{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.315{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000271689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.314{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000271688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.313{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000271687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.141{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000271686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.141{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000271685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.140{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000271684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.140{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000271683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.139{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000271682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.138{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000271681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.138{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000271680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.137{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000271679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.130{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000271678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.130{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000271677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.130{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000271676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.130{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000271675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.129{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000271674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.129{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000271673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.129{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000271672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.126{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000271671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.126{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000271670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.126{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.126{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000271668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.125{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000271667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.125{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000271666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.125{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000271665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.125{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000271664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.125{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000271663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.125{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000271662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.124{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000271661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.124{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000271660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.124{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000271659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.124{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000271658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.123{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000271657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.123{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000271656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.123{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000271655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.123{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000271654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.122{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000271653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.122{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000271652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.122{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000271651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.121{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.120{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000271649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.120{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000271648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.119{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.119{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000271646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.119{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.119{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.119{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.118{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.118{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000271641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.118{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000271640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:20.117{6820D070-3F30-6323-5318-000000007402}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.872{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48A7E0F4A0890AC43FF801C2399B294,SHA256=7F09BEB35FC5161C939F6277A452B2BB49770771FA0803E272889083415DA3EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.789{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE9F863B8251818562962FFF6B05D090,SHA256=375728D108D4C98EE2EF44FC643ECE94BD8A830A1ADDCE20F90B2C4FFACE89D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:21.641{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CF089FD7B5106E0CFE35FD62B594A627,SHA256=CC6127468DBB032205E0C33ACE43F4EC5D520852543F50C212D8EF1E5A929362,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:21.356{E743DC12-D550-6322-0D00-000000007502}7842752C:\Windows\system32\svchost.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000167863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:18.099{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55314-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000271794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.581{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000271793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.580{6820D070-3F31-6323-5518-000000007402}54607100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.573{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000271791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.572{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000271790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.418{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000271789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.418{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000271788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.417{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000271787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.416{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000271786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.415{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000271785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.414{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000271784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.414{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000271783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.413{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000271782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.405{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000271781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.405{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000271780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.405{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000271779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.405{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000271778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.405{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000271777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.404{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000271776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.404{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000271775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.404{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.404{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000271773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.404{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000271772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.404{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000271771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.404{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000271770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.403{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000271769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.403{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000271768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.402{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000271767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.401{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000271766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.401{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000271765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.401{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000271764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.401{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000271763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.401{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000271762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.401{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000271761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.401{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000271760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.401{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000271759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.401{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000271758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.401{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000271757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.400{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000271756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.400{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000271755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.399{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000271754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.398{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.397{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000271752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.397{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000271751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.397{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.397{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.397{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000271748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.396{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.396{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.396{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000271745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.395{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000271744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.395{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000271743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.394{6820D070-3F31-6323-5518-000000007402}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.891{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F56DC8B7D0D12E44F2F305E13DCB29,SHA256=B640B54744DCAFFF2358007F2B9174D8717C080FEC9C03AC87FCAD7E55777C37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:22.459{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:22.058{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC231CD4DB7AD2E25145F312436D3DA7,SHA256=B6989D3C11D7C2EAE7FE76F062C63E0FD99C0BABA8E6535E1912C6A8D463B77B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.573{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=BE2D6420F33539DC6465F9BCBD1E5C08,SHA256=7D97A71967A5CB0C74BE7D2B1F50A2DAD0A461D4135930B39C9A5D79C4D410AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000271847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.265{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000271846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.264{6820D070-3F32-6323-5618-000000007402}74603412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.264{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000271844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.263{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000271843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.090{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000271842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.090{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000271841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.089{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000271840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.088{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000271839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.087{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000271838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.086{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000271837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.086{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000271836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.085{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000271835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.079{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000271834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.079{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000271833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.079{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000271832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.078{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000271831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.078{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000271830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.078{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000271829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.077{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000271828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.077{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000271827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.077{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.077{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000271825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.077{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000271824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.077{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000271823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.077{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000271822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.077{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000271821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.077{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000271820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.077{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000271819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.077{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000271818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.076{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000271817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.076{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000271816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.076{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000271815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.076{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000271814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.076{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000271813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.076{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000271812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.076{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000271811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.076{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000271810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.076{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000271809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.075{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000271808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.074{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000271807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.073{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000271806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.073{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000271805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.072{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000271804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.072{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000271803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.072{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.072{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.071{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.071{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.071{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000271798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.071{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000271797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:22.070{6820D070-3F32-6323-5618-000000007402}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:23.980{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F93CB9D3CB01DD7C943912B38F89BFA,SHA256=7A888529EF31E929048D02A7A795D880AA4E8C3554886085B6C51A6926353ECE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:23.104{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6BDC26DB085E9C093A10DB8D21AB621,SHA256=589482D837D51B5E547215365D9D9FD85DF4860D509D5E368991671706BCDFAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:23.821{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B181390571F93FF8A2BF35AC95D2C81C,SHA256=5C15EA48BABB10C5EB786BC67A95597B500CE0F31D0BED95DA50C827D73CCE87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000271850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:21.711{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65431-false10.0.1.12-8000- 23542300x8000000000000000167869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:24.161{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7345EBC24B497F57ABD343C31AFA8CD,SHA256=6687177E3DC69B1EE9A948C77A1830B36E2A779323DC7143B229F1B4701ACB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:25.247{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D719C1F4CF128D4AC0B3FC5A476813,SHA256=E23BF76C5A23E37DCFFDD93F1DFAEDBD8BD6607DBC775C4074957B567DE39699,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.669{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.667{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.269{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.262{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.253{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.247{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.242{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.238{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.236{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.228{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.217{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.187{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.170{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.165{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.157{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.149{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.141{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.130{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.124{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.115{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.108{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000271855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.088{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFAA714C1E682D63037C674CFA4B78E8,SHA256=9EB02C189347F235670B5F0B60A53BF1275872BB3A8BA6923ECEA5744BEB2166,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.070{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:25.068{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 354300x8000000000000000167870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:21.290{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55315-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000271877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:26.204{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D35012C7A4A5B6BA5B5C71C6380FDE,SHA256=E4865C2EFFD24A0129BBB993A9251B4F7BD10F88817D6702365A5838FB22FE83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:26.310{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E4EF0FFA0B6248D50377F7652B7B90,SHA256=EA9562E80AE00EA57C08C8E41A3316663336CF262D7D0954075820320B9E7BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:27.387{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99439CD30A82E6B91269E57F6226770A,SHA256=EF38963F920A390B52097984B3E71EDFE07ED7D505293E361E523E6D58661F69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:27.680{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:27.679{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:27.674{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:27.672{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:27.234{6820D070-D2F0-6322-0D00-000000007402}9084416C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000271878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:27.212{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440E1BBE82EECB009209B1577FC087D6,SHA256=A78C13E60DCB7090F24BCB2C14129F70036320CEE93CD413047B1C94D26F37C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:24.094{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55316-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:28.440{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6AC74E3A4D3DE9F17B6C9A86753754,SHA256=7A1228FDDF3101D44D11299F313D30237E90762FBCF49DCE6280CC7432503EDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.507{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.502{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.497{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE5-6323-4618-000000007402}3236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.494{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EE3-6323-4518-000000007402}5504C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.489{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.481{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.480{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.456{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.452{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.449{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.446{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.444{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.440{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.436{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.433{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.428{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.425{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.422{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.422{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.420{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.406{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.405{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.403{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.401{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.383{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.381{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.379{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.376{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.371{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.368{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.368{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.364{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.361{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.346{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.344{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.306{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.304{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.280{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.271{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.233{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000271895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.229{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42DDF0F33CAFBFF5D87F72ADB6840279,SHA256=F4F8E5D104A63550F7B1330B6EFECC9C687DE78B6BF4E169361AA78F3E3FCFAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.222{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.212{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.207{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.206{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.202{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.199{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.196{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.194{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.190{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.188{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000271884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:28.186{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000271937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:29.529{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F059B23B1D3DD44D276636C986484B,SHA256=3FBD3DE251B8AC900E7E8A1D23DE152683F71B825E4C2A22760D671F0A14333A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000271936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:27.545{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65432-false10.0.1.12-8000- 23542300x8000000000000000167876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:29.490{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FCB816FEE33D54F5644D63F5F050BC,SHA256=22E9A2D98E21D74E8C00DB798B98B422C6D893017A257338D80E7DFCBE597358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:30.779{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=AA23435395C7F336EFEEBC4D0D3DA72B,SHA256=7761FABC7C4AC341EAB18F6AB35035D8C1F836593426CEB254151C9E593C2B23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:30.574{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C276F432DF3789AA6B9649860EA55A,SHA256=614550796CFCE5635691EAFF0142EF56CEF7186C329836FBCAD8D52365B59C4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:30.519{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17BE1E7E209D58ECF9D1A3CAB8EDCA8,SHA256=993ABD3C4118C10C70BBE25C42C0B3720D6609467EC881476554E77612642596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:31.585{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48669DC38BAB4AE910CD8268FCBC9814,SHA256=1C2DB61C14BBAC0F75B0DE2DAD621FF3D6A6C1A0172A42F1F98F128F6DE8766C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:31.576{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853CAAD9AD58948899C356FC39EF7161,SHA256=B98462B0BE968E0D1962190EB343899FD802AB487BF23B493C393944173A0859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:31.322{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6C7D2CB7E477DEC4CFC9D75AEB893149,SHA256=ED59D89823178E2BEECEF69E22FCEB8867042A635EC0C12205A70F8432ACFA3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:32.592{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F511FD7B2FD1B65B9D153337F1F819D,SHA256=04FAC8A57E95F0624A2D93FD12CF6D45AEA01543215DABC836FDC4A27286BD5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:32.623{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E599982604609B5369D50C43FAAE9EE,SHA256=93CF2AB1ED5AB76812327162CFED339316BCFD2536A56C92DD4EAF4AC3FE511B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000167879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:29.875{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55317-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:33.665{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A74B46C4158058C803A2F862C634819,SHA256=3ED45BF058A65D10B66505D8DB989B2492BE990D01339E5681C4F4DD7C1981E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:33.903{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6A1FB511C5EE60D08DC1DBA9749A72,SHA256=22D16AB9C8E495CB5AEA4286154D078A10A6DAB95193EBA1D75FBDF80774F00F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:34.913{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74940EA2E398C475F6AECA8D429EB79C,SHA256=EC140A30990C846C66A88C60D4C3CEE5254CCCDBEF40533BD7A14DC374A6FF6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:34.727{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8672A70FB9CE4E36A54DBCB32065738F,SHA256=BBA54927554E83562DBD761A52880BF3F84E90CB47B03EC3CA25A53B2724A8F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:32.636{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65433-false10.0.1.12-8000- 23542300x8000000000000000167883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:35.769{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6024BF826965E998C47E505E68D3397,SHA256=FC0390C35C28306867048EC1EDEB7DC20754DB626E9B943068F0F35B09FDA6E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000167884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:36.805{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4C97C575EAEB0FE7E22DE0FB30AE5E7,SHA256=8A679BD339F8B39346E34B91B6660865A24A7A322516AFE8A11449D4616613C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:36.746{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000271948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:36.745{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000271947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:36.745{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1a72bc9.TMPMD5=AE83E3D1BED7E22F099EC37882555B7F,SHA256=19C20C1DAA5B1C1F7E9A0561569A10ABB7DBF1B544D26F74C2B5990D9C688508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:36.023{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A22FFDFEDED332B3B287C41BE81DDB,SHA256=E3078BE38F15E14E177331F8D90EF1F8A158D7115D7DF5B43739036EA868BBF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000271952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:37.731{6820D070-D2F0-6322-0D00-000000007402}908652C:\Windows\system32\svchost.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000271951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:37.233{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA7FDBFBF21F3CFE35A62574E2C806F,SHA256=0AF360BA31BB516FC123B974E8A0DBA51A039EB3D55FDCAB9CB0DF0019648ED0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:37.998{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:37.991{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:37.980{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:37.971{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:37.962{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:37.959{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 23542300x8000000000000000167885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:37.858{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B0483F0D05A81FC2EC84D5394FA795,SHA256=B2783D1B118C9A4C0881D52D24ACDD2F6877A9515A8BD10B948362EEF48BD5A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:37.141{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\aborted-session-pingMD5=3354B73421CD63A42EA9BE55069D131E,SHA256=136A3CDFCE50AC1B429801C377B4DC99A74F705D983ABE416CAE57665B1195BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.893{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D282BAD685FE3E2AC36C19512C85FE,SHA256=1BEABBEC29F88E2F8597E1B4E6E022EA8A2F46195B2A90E24E52B1BB13B01E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:38.339{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362A0AFB4A0F13AB9E4E12EBAE735B12,SHA256=A4606BFE6C2921E5D5D5F92981F237B4CCA1DAADDB971F2EAE63519FFD0D85D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.558{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2AEB0FDF36339703956ACE34B587F3,SHA256=B0D9A0E21808E8701E0BC0097F3DFF2714AB70A38BF45010692D90935CCCF686,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.315{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.313{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.310{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.307{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.305{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 354300x8000000000000000167931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:35.879{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55318-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000167930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.284{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.283{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.283{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.280{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.273{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.272{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.269{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.261{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.259{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.241{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.226{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.215{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.188{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.181{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.168{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.157{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.153{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.149{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.146{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.144{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.139{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.130{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.129{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.127{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.125{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.124{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.122{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.117{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.114{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.111{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.104{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.101{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.089{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.079{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.038{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.032{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.024{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.016{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 10341000x8000000000000000167892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:38.003{E743DC12-DCF5-6322-7D03-000000007502}55365780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E610) 23542300x8000000000000000167939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:39.945{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDCF6AE31FA12914A09B9C517650FD6,SHA256=25064097098B6101CEE23581042B295205A6247887832244389E44C070B4AC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:39.344{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFB91F4EF74BEA01F414A4BDCDA7988,SHA256=9877E73F696E8F59BC8132134B51D3BFDEC976E2B41EA277F1E1C71B4FC2F139,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:40.965{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475F9EE5934175EE34F0221208088E22,SHA256=B28B2E439E151A589A51E491428E63F3A00E87546F834C076D0B72EFF162CDA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:40.796{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=109C730EA8B043F0302974E6F49FC572,SHA256=FBC7332D4CCD9E39748DF41A78C519AE42E7F246DF626E4C9EEE047A14FB3AEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000271956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:38.511{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65434-false10.0.1.12-8000- 23542300x8000000000000000271955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:40.353{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6E20E08FBDA3F753700F26CE3EFBCC,SHA256=28C4D465B7A4F56F639A5452719ACDFFDEDC7E4606183232FF0981F4FFD2665C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:40.237{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1053DE93080DABB93D8A2BCCF9D7440D,SHA256=8A945D1098DF17FF282B45901B47C9FE7D5C56807E4067CA95F70E11732ECA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:41.462{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F829E5FCDC4E179A0B2C822907503F82,SHA256=A8AFF140D371222553FB6F18B398BC60F714EE09823A36DD42D061FCB919D3B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000271959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:42.572{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDA96E5C245E751BD4D796AAED5B010,SHA256=641A78A61B0B727768864232420DE959361F4406F7E42DA9C06D31F91361ED93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:42.096{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20919FEFD2DBBB337437B014B895824D,SHA256=3084A29A4D8FC739D77F9B3283EB36495BD64458BB9B05F918773A1E1335645D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:42.040{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:42.040{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:42.040{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000271960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:43.681{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166E50B1658B117411565EE0A034A3BC,SHA256=F70ADBEA98F3B04E7398F8E826A774975C8ED3C533E31578B9E414E084A72095,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000167947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:40.987{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55319-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:43.142{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D23D4BA32060B26462F0953616A7929,SHA256=1623783C9CB005849A48032133418B9930D75B7B6550ADA1A24EB78F02D8B2A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:44.690{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C7270DDAD826D5DE490D9BB210DE54,SHA256=BFF2267E2547C2903BB9ED5F6093B0C1907D1E18D48447ED11470C532DE6A897,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:44.185{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16DAC17C415E7C239C0369230E324439,SHA256=4D2D694FE0CA3B8364EA13FFF9FFD54638E4135FC1209FDD3569A09C4596A30F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.769{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.768{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 354300x8000000000000000271984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:43.646{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65435-false10.0.1.12-8000- 23542300x8000000000000000271983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.706{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC3865AA3A359D4E422DF87E16E92FD,SHA256=F6C99B2F5DA47F2A45297EA377AD9929CEF3D62BCC030E893AD3FEC18C01FBE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:45.247{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA484EF57CA44ECF96C51D01DFAC5037,SHA256=048CDF9441FFB1C14ADB7DCEC27A547ABC5759A04E82338C825821B375EE9BA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.297{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.290{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.283{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.280{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.273{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.270{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.269{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.267{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.260{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.230{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.213{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.207{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.198{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.187{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.175{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.164{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.157{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.147{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.136{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.088{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:45.084{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000271987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:46.814{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC87D1674292D333E1B51DCD0B1F646,SHA256=8E22B77D321119262D04482DDCA23F475A26F36A8020AD8A0C4C23880D085C40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000167950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:46.304{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB1043AF60EACA04C3420E702A329C0,SHA256=CF14359D0BB171ACB2FD8849E92CD52AA32635DBB9B941C79F345175E6588634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:47.927{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F723084A84CD6DB05AEF2453285995,SHA256=97679D02D395A079FE925013930DF86575CDFB51FE2357BB6A49549868D85202,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.975{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3F4B-6323-6F0F-000000007502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.975{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3F4B-6323-6F0F-000000007502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.975{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3F4B-6323-6F0F-000000007502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.975{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3F4B-6323-6F0F-000000007502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.974{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3F4B-6323-6F0F-000000007502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.974{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3F4B-6323-6F0F-000000007502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000167959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.828{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F4B-6323-6F0F-000000007502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.826{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.826{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.826{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.825{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.825{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-3F4B-6323-6F0F-000000007502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.825{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F4B-6323-6F0F-000000007502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.823{E743DC12-3F4B-6323-6F0F-000000007502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:47.350{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9307E4B9571EEBC896F012C9A1757090,SHA256=C98CAFDD8590A9EB9673A9EF8A9C98B94E9AA312D76E05957B61CB2879003433,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:47.785{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:47.784{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:47.774{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000271997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:47.772{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 354300x8000000000000000271996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:44.801{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse35.90.208.7ec2-35-90-208-7.us-west-2.compute.amazonaws.com55771-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local3389ms-wbt-server 354300x8000000000000000271995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:44.698{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse35.90.208.7ec2-35-90-208-7.us-west-2.compute.amazonaws.com54037-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local3389ms-wbt-server 734700x8000000000000000271994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:47.730{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000271993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:47.729{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000271992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:47.727{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000271991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:47.725{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000271990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:47.724{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000271989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:47.724{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000271988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:47.722{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000167976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:48.853{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C7F5408441AA2D409509880039D301D,SHA256=6B991F9D622EE7F1E37578DC1AAF96183DAAABA75F5780503657750CDD091918,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:48.492{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F4C-6323-700F-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:48.492{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:48.492{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:48.492{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:48.492{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:48.492{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3F4C-6323-700F-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:48.492{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F4C-6323-700F-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:48.493{E743DC12-3F4C-6323-700F-000000007502}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000167967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:48.407{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25A0EBA1DF4B9C9C7337DFEF61F083E,SHA256=40677A6EBB50253C24C6FBE6EFDEE919BAF4060D40DA2C01D060F5C7E297BAD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.556{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.552{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.547{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.534{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.533{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.508{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.504{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.502{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.499{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.497{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.492{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.488{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.484{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.481{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.477{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.476{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.475{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.474{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.462{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.461{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.459{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.457{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.448{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.447{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.444{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.442{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.440{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.439{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.438{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.435{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.431{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.420{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.418{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.392{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.390{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.371{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.364{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.327{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.319{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.310{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.305{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.304{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.301{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.298{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.296{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.295{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.291{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.290{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000272002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.288{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000167966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:48.051{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C12160ED7D9AD101E6F7F4322830C1DB,SHA256=E1DAD7FA87FAA3CC059CD1921A3083277DEFA54137A72513DE9B1DFAD18A8FF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:49.386{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:49.386{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:49.385{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:49.370{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD0A9AC2D33C7A3CB5477958A8868F4,SHA256=DCA94ECD1B8703B688C113FDD739589076F2459585520A4B76ED1B7A3262D6A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000167995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.812{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F4D-6323-720F-000000007502}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.812{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.812{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.812{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.812{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.812{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-3F4D-6323-720F-000000007502}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.812{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F4D-6323-720F-000000007502}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.812{E743DC12-3F4D-6323-720F-000000007502}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000167987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:46.069{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55320-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000167986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.494{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0653D1E83C2DD4E6C74CF97BF7120CAC,SHA256=3A39B729CC1EBC2CDEA343FD5AED42A80788C9300619DB0AD88AE01DED1365C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000167985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.309{E743DC12-3F4D-6323-710F-000000007502}28364412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.153{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F4D-6323-710F-000000007502}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.153{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.153{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.153{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.153{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.153{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3F4D-6323-710F-000000007502}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.153{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F4D-6323-710F-000000007502}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:49.154{E743DC12-3F4D-6323-710F-000000007502}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:50.459{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623EE736B797BDC615FB2B4EE3C93983,SHA256=5ABD9E64349B32D1B3163EE95FD6FC4B1C1EB3EF671808DA0EF5DD6DC4D3FB3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:50.913{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AB1D2F885564D4066E75020B7A598E76,SHA256=62C3FC24B69E4681E0021011E666828FC5D78B23B1C30B3BA420351B218E7949,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:50.665{E743DC12-3F4E-6323-730F-000000007502}16125868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000168004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:50.581{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD6FF5F44DE49A3A7623F59AC92D0DF,SHA256=5D00F7AA2DD716FDF48C005FFA052BC26F09775448593CEFEF1086C02E62FAE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:47.224{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local49757- 10341000x8000000000000000168003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:50.480{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F4E-6323-730F-000000007502}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:50.480{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:50.480{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:50.480{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:50.480{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:50.480{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-3F4E-6323-730F-000000007502}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000167997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:50.480{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F4E-6323-730F-000000007502}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000167996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:50.480{E743DC12-3F4E-6323-730F-000000007502}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:51.470{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1BC25E884A2E99B3C0E2F90F086647,SHA256=6BEB1924AA35945C7C075723FCD2306E40AE1F17B88B974B445AC626E6CED428,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.936{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-440MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.916{E743DC12-3F4F-6323-750F-000000007502}52763400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.758{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F4F-6323-750F-000000007502}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.758{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.758{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.758{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.758{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.758{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3F4F-6323-750F-000000007502}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.758{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F4F-6323-750F-000000007502}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.760{E743DC12-3F4F-6323-750F-000000007502}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.658{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7E1D9FA560B1C2709344DA393DCE5C,SHA256=6BCDB5082460FA5AA7C66C154BC50B34C655BDB135D3D0300A0DFC43C714EEC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:48.680{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65436-false10.0.1.12-8000- 10341000x8000000000000000168015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.314{E743DC12-3F4F-6323-740F-000000007502}34323996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.158{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F4F-6323-740F-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.158{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.158{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.158{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.158{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.158{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-3F4F-6323-740F-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.158{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F4F-6323-740F-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:51.159{E743DC12-3F4F-6323-740F-000000007502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:52.935{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-441MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:52.685{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCBEEB285471AC7518913215ECBF9A9,SHA256=470DB97E27A734830EF325CC09A3B0E6FAD297029B1438FDE1FE5F1E9E3517FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:52.679{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97BD0119E644324B70D75787992CCEA,SHA256=25CADF7421DBF3027BFC2D155A57C1A57452C4E0333F3BC921EE3786E27C9721,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:52.531{E743DC12-D550-6322-0D00-000000007502}7842752C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000168030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:53.736{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F33C6F20D7FD2543EB276BBB519AB8,SHA256=9543C51891F417DAD2798EF7A0A62B040CCB6F86BCA4F8B04C8BD62E9F6906EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:53.689{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE1B2015552A683D63554D88774E5CB,SHA256=7B7CB859B893390E0AE1A5050046D22DB91B12F5529280525EDEAA829975EFE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:54.788{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E736B8DDAEDBD04BA74270F91119B5,SHA256=345D942AAC9A527A272CB13B53E074DB67C5FC61C099519FFD53BCC0C1E9A2B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:54.800{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE0A0108191B37B7B752A899684172E,SHA256=0C7A6095B5448927EC2CE4F4C832E1FF1A6AA4021627693592A9B22D4B4C6E39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:54.043{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2191138C4DFE5E3D130CB9EE8C5A8951,SHA256=73247FB9A93150BE224CD26240CE42E66786889C418374D1ADABF35594A54428,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:55.866{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B4AB3A8620EC53DEA664E8A3E5A462,SHA256=55207E42482E922442D083AC0DB771AE3F5DFCCC444157FFA056BC8D4E8FA2ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000168032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:52.108{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55321-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000272063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:55.911{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846B296F3F724EE5B8E9D0C02D1CEF1C,SHA256=3C66813ABE60A2B44ADBCB91D1A6B6325A4F3D61518E7DAA4C82917FED1F7F30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:56.892{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C42C680B7DDD8DB2CBFFF0DD4334054,SHA256=A64A5D20265A4055225682FBF24027F8E4181D86C2F2EA8E968F50756ADDDA2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:56.921{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6837A7AE79BA1F59ACA19E84917814,SHA256=DE42B46D2335058EF864F3E1486D672C940FEB4D446902696C1E1BC137E394A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:57.928{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DB13148E5CA07CE526662DB5C77F8C,SHA256=9918F4B6DFD4A3E1327F289C054C9C91F5FDA7FA6552C07BFA1448B51EB12AD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:57.990{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:57.979{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:57.966{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:57.964{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000168035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:57.942{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322BF1C05C68B66E009981516E900FD2,SHA256=F5DCB088304C2F0AFF5D774A07FA4F63DD439F8CEA9B3742D4E3458F94055DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:58.935{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2250C077D295D729714DD2CDBECF4C5,SHA256=48AA275A293FEF4DC29D88905A05A98E0B6FA2BC3ABE5D53E11D4C532F29EE8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.492{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07753CC936A94F0879B3C187F3538702,SHA256=EFDEF9654AE62EED742B59676E7C4F4BF7877D7B80E8E811F5ECBC0CB371AD1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.390{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000272074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:58.892{6820D070-D2EE-6322-0B00-000000007402}628764C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:58.889{6820D070-D2EE-6322-0B00-000000007402}628764C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:58.889{6820D070-D2EE-6322-0B00-000000007402}628764C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000272071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:05:58.063{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8540D214-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8540D214-0000-0000-0000-100000000000.XML 13241300x8000000000000000272070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:05:58.060{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BDD44E51-425D-47BA-BA16-AF37623148D4\Config SourceDWORD (0x00000001) 13241300x8000000000000000272069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:05:58.060{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BDD44E51-425D-47BA-BA16-AF37623148D4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BDD44E51-425D-47BA-BA16-AF37623148D4.XML 10341000x8000000000000000272068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:58.047{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:58.047{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000272066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:54.513{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65437-false10.0.1.12-8000- 10341000x8000000000000000168084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.387{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.384{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.381{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.380{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.360{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.359{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.359{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.354{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.350{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.348{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.345{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.334{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.332{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.310{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.292{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.281{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.250{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.243{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.232{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.226{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.224{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.221{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.217{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.215{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.211{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.209{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.207{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.204{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.202{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.200{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.195{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.185{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.180{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.174{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.161{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.157{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.131{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.116{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.083{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.073{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.064{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.051{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.032{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.023{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:58.010{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000272080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:59.975{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F25FA0C3F9B12778D01E91EFFB27DF3,SHA256=45408AFD00061F558CD739870FB80651E788716587DC77563C9699FCD0892636,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:59.941{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E98A5AFFC1D58C58B4EEDDE911EF871,SHA256=35535AB9A4B70F89609D5A2A2C96FCAB4B0FC5D04867785788759A66915FD439,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:59.033{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35B20F6E5AF256E55C2A5E2FFD192FA,SHA256=32B52D2CC279ADF69A5A31D86D3CB6F3468F9DC2F44A2259A7E2646CF4BBA08D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:59.724{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:59.720{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:59.720{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:00.950{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEADEDFC94BE75F27236CEEE26342C1C,SHA256=F031942C3DE5A5038697ACADB42C2DB39DE8C167A202EA68C289AB83269EF487,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:00.170{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A2B2C8F7079FA4254067F704EB89B4,SHA256=2FE5C293F54F4B5390E031D910AAE6E4FA50D782EED45121A15AB9129A7AFAEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:57.520{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local65438-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000272081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:57.520{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local65438-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 23542300x8000000000000000272088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:01.960{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A75597B87B74270330AC1523756DD2,SHA256=A23EEA1460084D527AF33DB6572A1A45B6DF97FAF90D012E982622F3C566B202,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:05:57.971{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55322-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:01.278{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990FE58301F00A46D7A6D6C72F737922,SHA256=E72A7EC8C91E4E74E6276F9CEBA6C5F575A4A4F3BEA376D207A99EC3C5017774,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:59.189{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65440-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000272086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:59.189{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65440-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000272085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:58.358{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65439-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000272084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:58.358{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65439-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000272090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:02.969{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA18469F5907FB02A73B2942C8860106,SHA256=1F04F319E0B256B084AEBB155F986FF715762EAD1FFC0D83207737BE52DB99B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:02.373{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7B004AF6A4D9FB9F339CA471336E1D,SHA256=B600CA8190685C93E971D1831021998A975E371F6D39EEF97DBF6477B41BDEA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:05:59.635{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65441-false10.0.1.12-8000- 23542300x8000000000000000272091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:03.978{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B41954F667A4CCE843DF6D3D075929F,SHA256=7E627847B443818E2505A52FE5683861A0EC435DDB583851B257697D0FEDEF31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:03.482{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0500BC9B4C7F1F4F8D4F9F15053E85,SHA256=B748E42C1C825F9E87866A986E1589F110F07C0590C0124E18E421CA7239D1E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:04.987{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F82BFD969EA9F9348192BFE079E6CD,SHA256=AA9D5D1ED99D1106F45501927A493668E1AAAD745EA50A361517D8E0C01C7AD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:04.599{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA58424538C474CF790ACF7D688E65FE,SHA256=6008CC12A54038B4B0068A0C83B3B6320B3BF9E4DA1E54F452A780C3819BE7EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000168095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:02.992{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55323-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:05.736{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6DE68966A4E0E5FDAACBFD99E796E8,SHA256=672DD0D4219B2ED9B7F291B09C91D14DB84F6C14D608BA27FB7AF0232E65D14E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.733{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.732{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.261{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.255{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.241{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.238{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.232{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.230{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.228{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.225{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.220{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.196{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.181{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.176{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.168{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.160{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.152{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.140{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.134{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.125{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.118{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.067{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:05.066{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 354300x8000000000000000272094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:02.723{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65442-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000272093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:02.723{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65442-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000168099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:06.856{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8401110A513E171E4B9CAC1B2C1CA9D9,SHA256=B56A5877DA2C12140A8E78C0A5E432D8F6627DF2D9E929109373BF84D092EA27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:06.307{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188F3704D82D870763A5D9AB765F2353,SHA256=81192FFC42D27F6D3E470977D13E96BC8F86563FD9B25FCA1A1EF4C1EB38EBF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:06.266{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000168097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:06.266{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000168096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:06.266{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF19e51bc.TMPMD5=39D11997735CDFDAB7051AB86B8F82E9,SHA256=34F34B56FDEF9CE630B3344FE748DFBC186169F1CA2CC69FB9A6920D5DE026AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:07.983{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B35664488ED3E88CCB59A6C5FA2AC0,SHA256=867DD2ECDD3EB3D182AF056CE36F9651A7C4F58D0E302F934EEFDDE277E4F4AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:07.746{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:07.745{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:07.740{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:07.737{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000272120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:07.517{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B54AC6820C327EE75BCAA06D0DF6145,SHA256=290B839CC2C6288AB2EB5BE4E35F23A0F7A90FB6166D8C41738C7EEF17FA82AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000272119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:04.689{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65443-false10.0.1.12-8000- 23542300x8000000000000000272174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.972{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C99C2805B1304100D9E6EA97BCEA02,SHA256=470E2685526FF86FAEA1DC1438DD3EF02F11ABD4CB53E228EB19E6AF64935307,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000272173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.564{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.561{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.559{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.554{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.553{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.534{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.531{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.527{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.524{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.521{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.517{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.513{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.510{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.507{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.504{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.503{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.503{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.501{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.490{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.489{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.486{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.485{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.475{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.474{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.472{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.469{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.466{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.464{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.464{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.461{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.457{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.446{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.444{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.417{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.416{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.396{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.377{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.317{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.303{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.289{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.277{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.275{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.272{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.268{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.265{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.259{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.254{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.253{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:08.250{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000272175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:09.667{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D781079C3D77F9A476FC9E42D0EFD8E,SHA256=B2D7EA25326462D305E36488721229CFB8760B063839119B63842B62626ED5DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:09.012{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98F7DD85D4971864FDE2E75CEB7FB4B,SHA256=21BD00C8A808A362A6429E1C2B483A2805DF3EC06E097BE290ABCDF7A82F6C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:10.675{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3423F63098ECEA0FD6E4BAF47EF0D65,SHA256=5F945766C36B61280FB23EC9E2B66EEFCC15991978EF672787D1CE5D0A55BAEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:10.140{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68367E779822C38FD01676D2D6AC6BA7,SHA256=CCC54CA255A4E24E103D52111A1AA428F7A9E2F7D72F46302226D5FC541878C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:10.544{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-450MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:11.686{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367599A893F9B5ACB7F30AEC7B6097E0,SHA256=61CB616207522CE035BC793A77A7E626F93B69B759C8D830F4460C67B906D6FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:11.258{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339956A58A2EF53300547B1965D58740,SHA256=E5AD616945AC03BF221E02095F58D18B3EC365FE6557A0597617F1F94A34EF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:11.543{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-451MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:12.796{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5051ECEB9C335916433D7E562F84ED,SHA256=5D5E2C0AF1D834976110656D25725C973A03EDEA72CB3C625D8ECB979D010220,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:12.341{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F291010118B4A121EFAA162BCC03EA27,SHA256=A3C9FF54BAF912AE1D1222374DB1EAC878CBE906A7EE119DCA3C0A8CB7AB14D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000168104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:08.915{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55324-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000272182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:13.907{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFAB40B33419EDCB2E5B66A12BC8F8C,SHA256=98AFD7500F768B1F4364A7CCB25A7C3D6714EAD35D7EE94FEDC12171AC1AA5CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:13.446{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4860782E0905C1913A8CB71CF52BA16E,SHA256=6D77EC24D766653AB7F625C0CB108870B0C450C6A155408A51EF4CDBA05B6B6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:10.532{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65444-false10.0.1.12-8000- 23542300x8000000000000000168107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:14.565{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0D2EDA7F8E3C2E328EA7E0052C2418,SHA256=A5055C254F53918479A4D285F78DEF91BCFF85A341072D87448BFD17796B1C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:15.697{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3A57AF4A806650808445BA722AE153,SHA256=174BFCAC18F5CFA5237AC5A0B56D4E66BC4ACC6B9B545495275938CA87B32B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:15.017{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F4A25CDDAE1E846BC2C6528B5367B4,SHA256=9FD9882CA3DE50C0523507E98E00A81116966BE55A3E7CFFD0861882F60E3EE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:16.323{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50348BF08638E44EF77DBF922C2514ED,SHA256=0CE41B04D67253B39948D4DA0967895F3266077D735E8991C82027D52DB5732E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:16.822{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07857FAF77E1CA7BFCA8DF0583498B7D,SHA256=B6C9571B46436A7F0BBA7AC06E6B9219199AB1E04FE83A809DC4F18B8BB11B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:17.964{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:17.629{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C363CC9F18BBDF11C10DF107025E65A8,SHA256=36141CA8C54003329E0A3FD2F558F0D667042CFFE78AB4CA16F1500E13ECB9BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:17.992{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:17.978{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:17.975{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000168111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:17.908{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D47B8C18FF7C5A78945974F914DCB9,SHA256=A000B48556D7E491DB3891DD4CB63AD4A40B89756DC1C363FF2D495226A196BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000168110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:14.065{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55325-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000272291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.874{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000272290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.873{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000272289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.872{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000272288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.684{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000272287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.684{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000272286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.683{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000272285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.682{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000272284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.675{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000272283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.675{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000272282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.673{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000272281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.673{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 23542300x8000000000000000272280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.667{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0016448F6ECFD5E0814E48D0BBE6E04,SHA256=FEDBC7C65C1BA9838A4BCED3C74A5061E1950E667CD3E971A26720B3B4250E87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000272279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.661{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000272278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.661{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000272277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.661{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000272276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.659{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000272275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.659{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000272274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.659{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000272273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.659{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000272272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.658{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000272271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.658{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000272270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.658{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.658{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000272268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.658{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000272267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.658{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000272266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.658{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000272265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.657{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000272264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.657{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000272263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.657{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000272262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.657{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000272261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.657{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000272260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.657{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000272259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.657{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000272258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.657{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000272257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.656{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000272256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.656{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000272255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.656{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000272254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.656{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000272253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.656{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000272252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.656{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000272251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.656{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000272250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.654{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000272249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.654{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000272248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.653{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.653{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000272246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.648{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.648{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.648{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.648{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.648{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.647{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.646{6820D070-3F6A-6323-5818-000000007402}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.557{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF28282F47B7ED640743E9408E42F1CD,SHA256=02F1849D4EC401C37AB5AF81487B7A1FF6779BA0B4783EE4740F7883E123B7F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.331{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000272239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.610{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A3DC8FD8793A0EB9E8451D2DE53301E8,SHA256=598DBB858746A08252AB2C3F00DC4E6935AA2EE6E68F38819844EAB8EAD49F79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000272238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.342{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000272237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.340{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000272236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.339{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000272235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.155{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000272234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.155{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000272233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.154{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000272232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.153{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000272231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.152{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000272230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.151{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000272229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.150{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000272228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.142{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000272227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.141{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000272226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.141{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000272225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.141{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000272224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.141{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000272223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.140{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000272222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.140{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000272221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.140{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000272220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.140{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000272219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.140{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000272218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.140{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000272217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.139{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000272216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.139{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000272215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.139{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000272214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.139{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000272213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.139{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000272212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.139{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000272211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.138{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000272210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.138{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000272209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.138{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000272208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.138{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000272207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.137{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000272206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.137{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000272205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.136{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000272204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.136{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000272203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.136{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000272202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.136{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000272201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.135{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.135{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000272199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.134{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000272198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.133{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000272197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.133{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000272196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.132{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.132{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000272194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.131{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.131{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.131{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.131{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.131{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.130{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:18.129{6820D070-3F6A-6323-5718-000000007402}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000272187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:15.661{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65445-false10.0.1.12-8000- 10341000x8000000000000000168160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.329{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.325{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.323{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.321{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.310{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.309{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.309{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.306{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.303{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.301{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.298{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.282{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.279{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.263{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.251{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.243{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.220{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.214{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.204{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.198{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.197{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.194{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.191{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.190{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.182{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.174{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.172{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.165{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.164{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.162{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.159{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.152{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.149{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.143{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.136{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.134{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.109{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.094{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.066{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.061{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.052{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.045{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.034{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.030{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.022{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:18.001{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 734700x8000000000000000272383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.997{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000272382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.996{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000272381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.996{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000272380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.996{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000272379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.996{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000272378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.994{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000272377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.994{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000272376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.994{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000272375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.994{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000272374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.994{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000272373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.994{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000272372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.994{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000272371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.993{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000272370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.993{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000272369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.993{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000272368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.993{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000272367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.992{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000272366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.992{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000272365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.992{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000272364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.991{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000272363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.991{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000272362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.990{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000272361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.990{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000272360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.990{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000272359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.989{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.989{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000272357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.988{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000272356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.987{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000272355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.987{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000272354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.986{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.986{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000272352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.986{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.986{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.986{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.986{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.985{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.985{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.984{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.706{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A00A69BC2903069E1DE7C6FA1E7D3F,SHA256=DADC09A03095507D7EDC520DF643899E4E358172445AA4CCF3BAF50995B009AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.703{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28AD00A93ADDC261D4386FEB6F367B7,SHA256=913831BBFE195DA37DB975D10C4665752A268945E759F54FBCBE697FA5C96E72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:19.013{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F698F61F4DEC1F236716A2816316832,SHA256=0D2F27DF63C6958FCC6BB57E9F974754F0A68C88F7F0D894CFFF7EF824292239,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000272343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.559{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000272342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.558{6820D070-3F6B-6323-5918-000000007402}18403844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000272341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.558{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000272340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.557{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000272339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.337{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000272338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.336{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000272337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.334{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000272336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.333{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000272335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.331{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000272334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.330{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000272333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.330{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000272332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.330{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000272331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.324{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000272330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.323{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000272329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.323{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000272328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.322{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000272327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.322{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000272326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.322{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.322{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000272324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.322{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000272323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.322{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000272322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.322{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000272321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.321{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000272320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.321{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000272319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.321{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000272318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.321{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000272317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.320{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000272316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.320{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000272315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.320{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000272314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.320{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000272313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.318{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000272312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.318{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000272311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.318{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000272310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.318{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000272309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.318{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000272308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.317{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000272307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.317{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000272306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.317{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000272305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.317{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000272304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.316{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000272303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.315{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000272302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.315{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000272301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.314{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.314{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000272299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.314{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.314{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.313{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.313{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.313{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.313{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.312{6820D070-3F6B-6323-5918-000000007402}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.225{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73336C60B3621069ADD1C7C716B7137A,SHA256=6E56E2EAD1704A57866682F35F0A7EB5A227A3BA15140B9FF34BACA5FFED1AC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000272454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.884{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000272453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.883{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000272452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.883{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000272451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.875{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6138F188E7AFD9B3CC0DB350030AF9E5,SHA256=53B44A5E9A604FDB171D2D3A9CE6FAD1592A6CEDEF3647F2069209B837EA2964,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:20.846{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A56CC49AC4AF7EB7D05CCBB9419CF975,SHA256=AD8291EC4BB3A1223FB2E966B99A91B160E2347F9AF8E0E66629E1EC6386FBBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:20.362{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000168164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:20.106{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A16980E069E1A5A7121B3D5E7640D7,SHA256=CE96CFA542CA690CEC4AD46F30EC2E9E1115EF914AC84BF265DE5038DE5D9B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.739{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A132E1A92333AF0FAC5B545EF7F60ED6,SHA256=B2BC04E45954E1C96752236A7771AD77321FDEAE010212B7C2FA5C6CBDD3FDC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000272449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.672{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000272448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.672{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000272447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.671{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000272446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.671{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000272445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.669{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000272444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.669{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000272443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.669{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000272442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.668{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000272441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.662{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000272440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.662{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000272439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.662{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000272438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.661{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000272437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.661{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000272436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.661{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000272435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.661{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000272434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.661{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000272433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.660{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000272432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.660{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000272431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.660{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000272430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.660{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000272429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.660{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000272428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.660{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000272427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.660{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000272426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.660{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000272425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.660{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000272424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.660{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000272423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.659{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000272422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.659{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000272421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.659{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.659{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000272419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.659{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000272418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.659{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000272417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.659{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000272416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.659{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000272415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.659{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000272414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.659{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000272413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.658{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000272412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.658{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000272411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.657{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000272410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.657{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000272409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.656{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000272408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.656{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000272407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.655{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000272406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.655{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.654{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000272404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.654{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.654{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.654{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.654{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.654{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.653{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.652{6820D070-3F6C-6323-5B18-000000007402}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000272397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.200{6820D070-3F6B-6323-5A18-000000007402}38282820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000272396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.200{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000272395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.199{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000272394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:17.420{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65446-false10.0.1.12-8089- 734700x8000000000000000272393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.014{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000272392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.013{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000272391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.013{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000272390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.012{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000272389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.010{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000272388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.010{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000272387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.010{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000272386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.009{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000272385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:20.008{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000272384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:19.999{6820D070-3F6B-6323-5A18-000000007402}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000272553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.928{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000272552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.927{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000272551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.927{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000272550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.926{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000272549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.925{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000272548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.924{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000272547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.924{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000272546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.924{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 23542300x8000000000000000168167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:21.191{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691F584F7CF8ED0A4B9C7E08E7A23C04,SHA256=43475E3F225CE2BADE789B27FE3C2C9966E8FB6CF39862F0D74F720C87AA183B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000272545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.914{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000272544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.913{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000272543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.913{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000272542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.913{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000272541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.911{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000272540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.909{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000272539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.909{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000272538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.909{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000272537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.909{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.909{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000272535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.909{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000272534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.908{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000272533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.907{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000272532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.907{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000272531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.907{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000272530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.907{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000272529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.907{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000272528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.907{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000272527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.907{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000272526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.907{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000272525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.906{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000272524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.906{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000272523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.906{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000272522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.906{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000272521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.906{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000272520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.906{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000272519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.906{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000272518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.906{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000272517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.904{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000272516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.904{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000272515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.903{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000272514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.903{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.903{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000272512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.902{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.902{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.901{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.902{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.901{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.901{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.900{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000272505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.517{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000272504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.516{6820D070-3F6D-6323-5C18-000000007402}55127180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000272503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.516{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000272502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.515{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000272501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.340{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000272500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.340{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000272499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.339{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000272498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.339{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000272497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.337{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000272496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.337{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000272495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.336{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000272494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.336{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000272493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.330{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000272492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.329{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000272491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.329{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000272490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.329{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000272489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.328{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000272488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.328{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000272487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.328{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000272486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.328{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000272485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.328{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000272484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.328{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000272483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.327{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.327{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000272481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.327{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000272480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.327{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000272479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.327{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000272478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.327{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000272477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.327{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000272476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.327{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000272475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.326{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000272474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.326{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000272473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.326{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000272472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.326{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000272471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.326{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000272470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.326{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000272469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.326{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000272468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.326{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000272467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.325{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000272466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.324{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000272465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.322{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000272464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.322{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000272463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.321{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.321{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000272461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.321{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.321{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.320{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.320{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.320{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.320{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.319{6820D070-3F6D-6323-5C18-000000007402}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:22.463{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:22.280{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC54756B4047CB1441C7C99FF98FA2B,SHA256=5C2ECD0BA35DFE48C5C5A83B95CD7D22B87090701FE8878BBB152A58E84B9266,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000272558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:22.129{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000272557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:22.128{6820D070-3F6D-6323-5D18-000000007402}70925460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000272556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:22.121{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000272555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:22.120{6820D070-3F6D-6323-5D18-000000007402}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000272554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:22.036{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1AC1E333AAF045CCCF164AA3B11E2F,SHA256=E48EB3FFECA4460BA1A56C41494A6630E73F5A169DDC86247EF1B05593106C3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:23.199{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E3F39235F0D41D38DD9A35D2BE62ED,SHA256=F98E5400D85DAAF5565B3F20FD199C7812586D38E718C8F2678910A92F625421,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:19.907{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55326-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:23.409{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593F85FFF0A179B03C3EE63A77BC5054,SHA256=F683EFC4B8BAF72213D7DB4A2B60B860E3489FF28DBDCD747077D60DC40B0FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:23.088{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C2EE24FB1444B4413EB0252BFC2BD4BC,SHA256=8CABE963F28DD73FD43991A63BB264EA2D69347454010EE664F3DF63B2B57676,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:24.511{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4015BD1519708D97431AEFDBD10100,SHA256=E554E0E55C58529DBEA331DA23CA7BFA968183350CA8582AE2B8CC04F699FB28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:24.513{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04ECA603AC426EA6C38E9CA3EE2788A5,SHA256=B42112C0D422E3301EE7968F3321813B477923D78739DC0D14BAC871088EB851,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000272561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:21.501{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65447-false10.0.1.12-8000- 354300x8000000000000000168172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:21.309{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55327-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000168174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:25.535{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB96E0CDBE8337ECFEBD19C628AC8FB3,SHA256=E8BEE1B0652FC760E61833C3BE3CAC8293B942609A6DD5A6407F674D96DF70D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.657{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.656{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000272584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.633{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091DC90F32C4C011DF9E6EBE9023B02A,SHA256=F641E5C147F040DAD5AACC9FF1AC747B18821A35F79633D3E3B9A96D97801789,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000272583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.301{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.287{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.279{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.275{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.269{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.267{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.265{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.263{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.257{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.220{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.201{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.191{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.177{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.169{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.162{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.148{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.139{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.127{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.117{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.072{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:25.070{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000168175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:26.638{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927261326F48802BB941D8519A64D9E4,SHA256=5D58C9A193398D2AFE666FAC6F50FBA284AB3FC4F736C23B206EC8858D38A811,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000272597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 15:06:26.745{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000272596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 15:06:26.745{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01a7ef19) 13241300x8000000000000000272595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:06:26.745{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c90c-0x5836d8be) 13241300x8000000000000000272594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:06:26.745{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c914-0xb9fb40be) 13241300x8000000000000000272593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:06:26.745{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c91d-0x1bbfa8be) 13241300x8000000000000000272592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 15:06:26.745{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000272591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 15:06:26.745{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01a7ef19) 13241300x8000000000000000272590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:06:26.745{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c90c-0x5836d8be) 13241300x8000000000000000272589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:06:26.745{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c914-0xb9fb40be) 13241300x8000000000000000272588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:06:26.745{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c91d-0x1bbfa8be) 23542300x8000000000000000272587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:26.642{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D469F984C8FBE3EFB7AEAA512AC637,SHA256=49E54B7D231F6BAC5C02E3F0BF1BE27F18F4936C2606161CF71B19E158873259,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:27.754{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6F27055DA80AC510E345BA6DF289F7,SHA256=98FF51C887D853FEEB21D6B55942561D944623384110C6F250F73AE289693F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:27.758{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438F19CE88AE99A2D3F46592621B41D5,SHA256=45C01B3EC88362F6E7522A1F780467D4A3F519FE2060C2043FE22D89D7C0C3DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000272601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:27.681{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:27.679{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:27.675{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:27.661{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000272653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.913{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5596581DD20EA6C4F5BB44AFC01C4FAB,SHA256=1486EA5F1142E5801E2EE9D27CED3A80A1217609B084ED11E09E96045075D8F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.911{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B994C6DF1B1297BC48C1636017A4A01C,SHA256=1F3CF5A0A72E3B896D7C321B3327C491CB48B9A0B36163D0C430BD943BC7BF11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:28.877{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D252AAC49361CA523E96D8C33D439C8D,SHA256=3519E9832CF191A3975EBEDB950786B6CC69A6B6DB101AA569776B46F1CDFF44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.466{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.464{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.462{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.456{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.455{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.433{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.429{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.426{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.423{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.421{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.417{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.412{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.409{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.405{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.402{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.401{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.401{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.399{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.381{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.380{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.377{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.375{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.365{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.364{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.361{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.356{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.353{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.352{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.352{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.349{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.346{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.331{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.326{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.298{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.296{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.281{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.271{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.231{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.223{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.213{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.208{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.206{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.203{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.196{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.194{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.193{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.188{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.188{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:28.184{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000168179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:29.895{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D905100DD87CDC902F025738562F63A3,SHA256=A98DC61B73BB936FE9312866B4D03AC8F7FA9531BBEC1D8ED4A60232CE20CA91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:26.511{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65448-false10.0.1.12-8000- 354300x8000000000000000168178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:25.915{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55328-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:30.924{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01C9557F07C4226E9D4DAC6A908C796,SHA256=B672D36FD9997EC1B69A9D8CCF757C130541DF5DD0F5FEE1D6B1D9EC8AA7477B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:30.226{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA85C017885ACAA48893760C23898E61,SHA256=A62DDDFC4136EE0DBC19F866F345E75186B88251A80C46C5FF6409BD9570660B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:31.438{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85490EA850B6F45E70A862FB7BABB9A,SHA256=CA90CFA689F9ADFEBEB1FEEEAD8C2DDC5F36D0D8180CD667E44A6AB31CFFC820,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:31.323{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6646E2999B693D49BB13BAFE3376CE95,SHA256=FF4A1FDAF404755A86EFE683A82C1AD80F9C5D216977460D8E47744E854DC176,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:32.446{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4884DE34D87682292A5CC79E2C607DD,SHA256=C44AD9D5C2682590B79271321F43E767A00CC15C0FB98805F78997656B7E4D16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:32.047{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72C55E0C2D8673F971FED2E2D0E9C2C,SHA256=6BD90EDF42FA40D89BF2223115A029FF72F151B26332C6DA10C92CB88C8BAC3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:33.556{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C46CD1F5E1B30AD41E06485BA19323,SHA256=0DED01EBDA6B8AEF6723B83722EF24FA2E2A827C57832FC1EEDADB9C3580D704,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:31.045{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55329-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:33.102{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6E14FB1F6666EABD5A8FD19523BA88,SHA256=8C0B716B9CCDFA0E3F9A457360984E10D68DF4441B5AF67FDFD11883048EA37F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:34.662{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E902D1E8D1C3393AF902239091ACD443,SHA256=4800BACDCFABDB9079C27C85AC58762E92AFBC91C5231A375F1823BD384C2ADD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:34.228{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCF825BF21495F96C5F6ACD7DF9526D,SHA256=4F4790E63DC9EF82A5F8CFDC4DF9DBEEB77F8A537A15E812CAE6DDBA071E22A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:31.715{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65449-false10.0.1.12-8000- 23542300x8000000000000000272663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:35.969{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B093D17314F90BE3CB5A88E9973B12,SHA256=DF3BA944B0DAA034E3AE1F17EBA6E54D5A330BCC6203C45896C74A044D8D7EFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:35.254{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFE8DFAFF508A5A168051A7BADED268,SHA256=BB98D05F0ED29E97A1F5F5A2A479B4A78567E36FA5A6BC024F123C3AE0CEF20C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:35.670{6820D070-D2F0-6322-0D00-000000007402}908652C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000168186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:36.339{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C56CE1AD671C5D7F547A2E9C246DF5FF,SHA256=08C8489A6C5D7B469A0CEA87FCB4C11E8CDE3E5D533A21F7F465F5BFBDC6B650,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:37.992{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:37.976{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:37.969{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:37.962{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:37.959{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000168187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:37.456{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD99D3EECE5229DC19E47B37A269929,SHA256=DA58D2B07969183E0158E30209231242B3C9677BC0D54DB214933B180FBB251A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:37.281{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DBA9596FD91C08BD2F35B27B3570A86,SHA256=25376B9CA3ACE3C4B789C7C5F24440714772C6151E601BCAEE6469920503C45D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:38.392{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7839EE4C1D6E3691B7306C2CAB6577,SHA256=574D905CAF2A7FF692F2A5B0A215327160FBFF145AF70A793C371A0C20E63B5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.645{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80083D5638313662F6AD8CA20C1555A7,SHA256=E221D385FACB244650B8AE9A3717A40D40C511B9620D08E35BC6812DF6C064BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.645{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605BE7BA0C8B3C9D0E916A6EFA5C2416,SHA256=C0E30C8F6734273B503C83908B469A9D8F751C628001C1C42DCD40C73540AD50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.295{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.292{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.289{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.287{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.286{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.271{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.271{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.270{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.268{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.265{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.263{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.260{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.253{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.251{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.226{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.214{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.202{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.179{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.173{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.164{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.160{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.158{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.156{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.154{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.153{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.149{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.146{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.145{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.131{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.129{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.128{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.126{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.121{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.118{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.115{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.108{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.106{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.092{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.085{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.059{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.046{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.036{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.019{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.007{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000168193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:38.000{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000272667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:39.603{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41E12B1D94346F79D575A669EDEACB8,SHA256=85319A7198A2BD0C50A2CD411E787D74696B2C1F61DA8CED3FBC2539A8DB94F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:39.678{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8035EBCB7EE4FD19878E9421ADE36673,SHA256=7802EDC4AFFB6AF75B8163EB7A3114575C04771123CDE4967FEF227CB223F9C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:39.423{6820D070-D2F0-6322-0D00-000000007402}9084416C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:40.915{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32C43CC17407AB7CCC745B081EDC557,SHA256=24BFA1D23DD3483808AB5FBE1F4B3F6A618DB1CA420A1D8332BA62E23E73ED74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:40.812{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE60E0E905E8BC746BF4870ABFE45B7,SHA256=56BC9910D4E953A89439431ACE6CEF4E67AF0385DCA941AB3E566D4A64ACFDD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000168242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:36.968{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55330-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000272672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:40.269{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2EC-6322-0100-000000007402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000272671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:40.174{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:40.163{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000272669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:37.662{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65450-false10.0.1.12-8000- 13241300x8000000000000000272668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:06:40.061{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8c914-0xc21ca715) 23542300x8000000000000000168241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:40.239{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=12D5F35413CADDF26FD946209C802C3A,SHA256=50670175EA475D71B9C55CB989AB5ECC8BBA3635255CDF98BDC50CF6A0951099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:41.924{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420202613180AFF93EA1CAAC05737867,SHA256=BA9974548DFAA25863F817E293FFCB4C256A17735DC83F103E38D08F38325827,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:41.813{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE5ED25657EFD4951C8BC14E01E9489,SHA256=9A5E3F0663E2079F0A6B939E17D573B9A98BE9D274F63428DA0EEFFE96536469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:41.402{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8798AB4FA3ECF9B112475C01719D078,SHA256=E08B32631E7F1B7AD99C54D9169435D86BD1FA7BED57060E3E8E458B9984B62E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:42.941{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F53BEF4C67F23D6622F7FCCC12504E1,SHA256=EF798B4B50792E4AE94E9E7AE7E46632E20705DD8A03452BC7AE014AAA271653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:42.935{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707F69386C6305C73FBD897B65282A60,SHA256=ED6ABC4F1024DF6A6B9C44DE855942484D2E804076D48A0614DDBBCABC9B8B42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000272678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:39.637{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local65451-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000272677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:39.637{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local65451-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000272676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:39.532{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000168246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:43.944{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3794E96D1F52340542F27C7007ACB840,SHA256=1E92CA1CEB179096BDD8E5F21FC4C3517435AA9C0C54E155573B5152B6C5C30F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:43.945{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A15F2F8D65733DAF31DC552BA630F3F,SHA256=87FC744FB4535339E87437B46B1B7C65AFA8F48FF065D103230D6DA7EBD90195,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000272683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:39.739{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local65453-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000272682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:39.739{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local65453-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000272681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:39.646{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65452-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000272680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:39.646{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65452-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000168247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:44.984{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384AE6039D024399DBA41FB3567B0B10,SHA256=AA46B70B0AEE02ACBF5A2843686193E2B97C17A240755660CE33AA8C524D61ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000168248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:42.944{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55331-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000272709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.880{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.878{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.340{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.331{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.322{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.319{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.311{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.308{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.306{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.304{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.295{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.263{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.239{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.232{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.224{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.211{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.194{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.175{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.168{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.157{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.149{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 354300x8000000000000000272688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:42.712{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65454-false10.0.1.12-8000- 10341000x8000000000000000272687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.099{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.097{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000272685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:45.077{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E14E442B24D775B898A1FA248C407F,SHA256=32346C1DA1ED998FFB3B2621AD1CCE6E8F885BCFE7FE7965C93A1ED84CD4370F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:46.146{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A71A43AD4E29ADD6DA8B4B2D65D1AFC,SHA256=D09D4016076232D4CAE0BB638D7D8DB6D37204FE2BD4593F2633572F22A3E2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:46.094{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56671061F73D9EF1646D1947B1F4C7E0,SHA256=EFEB360AF9EB42E881CEDD7494C1D56F143301169EBD7A0E8799205BDD809907,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:47.846{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F87-6323-760F-000000007502}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:47.846{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:47.846{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:47.846{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:47.846{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:47.846{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3F87-6323-760F-000000007502}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:47.846{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F87-6323-760F-000000007502}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:47.846{E743DC12-3F87-6323-760F-000000007502}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:47.200{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D0A1C1594514E6F378ECDA8FA40006,SHA256=CA9DE21ECC69B693C59D203D8E6AB4D070841B9F0595B7B3260A38A3C031DDB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:47.895{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:47.894{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:47.888{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:47.885{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 734700x8000000000000000272718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:47.732{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000272717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:47.731{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000272716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:47.729{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000272715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:47.727{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000272714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:47.726{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000272713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:47.726{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000272712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:47.724{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:47.103{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC21E4406789F7BE5BDB7A3D26069C8,SHA256=E593876E195006E8F0F94094B9EDD4C412C450228F76CE9A959123830C4E7703,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000272772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.670{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.668{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.663{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.658{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.658{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.632{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.629{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.625{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.622{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.620{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.617{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.610{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.607{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.603{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.601{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.600{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.599{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.599{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.586{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.585{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.583{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.581{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.572{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.571{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.568{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.566{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.561{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.560{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.560{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.557{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.554{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.543{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.541{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.516{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.515{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.499{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.487{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.445{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.436{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.425{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.421{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.417{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.414{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.410{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.408{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.407{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.402{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.401{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.399{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000272723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.115{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02071F8ED11251F6E94C0E571DF30E3,SHA256=4CFD83422868C0EF8E9B71609E7AD9AC3279A3B6808FF8D175478CA075E31FD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.903{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E93ADDEC44BDA27AF968EB0269EF0CB1,SHA256=5838F81E9A79ACD386DFA4E0643B3C4C2D0D9B67736349A9CD32E4C3CF65AAE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.756{E743DC12-3F88-6323-770F-000000007502}12565016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.522{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F88-6323-770F-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.521{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.520{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.520{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.520{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.520{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-3F88-6323-770F-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.519{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F88-6323-770F-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.518{E743DC12-3F88-6323-770F-000000007502}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.301{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E9DDB5C083F2FC4FF69B276E509380,SHA256=386EE6662DC8C233B8B5BC45CCAF2A0CE6CD3595676CECA7F881BA7C1D80E780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.090{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=42B13B01A44934EFA7BD3032D8E6D2CB,SHA256=E57AFB52CB8B4C77AC0AE4C0B9EF5C42DA2179D76175A26A989D3EDEAF4C7507,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.062{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3F87-6323-760F-000000007502}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000168263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.062{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3F87-6323-760F-000000007502}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000168262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.062{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3F87-6323-760F-000000007502}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000168261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.061{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3F87-6323-760F-000000007502}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000168260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.061{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3F87-6323-760F-000000007502}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000168259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.061{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3F87-6323-760F-000000007502}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 23542300x8000000000000000272773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:49.774{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C94CD722331610934009609898BB4BE,SHA256=762AEB2E85F82B6573617FFBEE73AB8461F58C3B9A55380444B750A1B5C0B1BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.873{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F89-6323-790F-000000007502}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.873{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.873{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.873{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.873{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.873{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-3F89-6323-790F-000000007502}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.873{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F89-6323-790F-000000007502}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.873{E743DC12-3F89-6323-790F-000000007502}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.427{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579E6583046851A54B50CD742507AD85,SHA256=FD61D003E1C2F571A3F27F1E9BA36B5D51E8B8B8D0282A3795EF116E0049C29B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.359{E743DC12-3F89-6323-780F-000000007502}35925328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.200{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F89-6323-780F-000000007502}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.200{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.200{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.200{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.200{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.200{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3F89-6323-780F-000000007502}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.200{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F89-6323-780F-000000007502}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:49.200{E743DC12-3F89-6323-780F-000000007502}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000272774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:50.853{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736B2C77950EA16D0768918C990AA25E,SHA256=CAA73C8751A3C3E1786FB9F2027F1A34840153021B21E6912B0364122976396F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:50.950{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FC3E6F1BDDB84C2DBA68BAE918CB7F4A,SHA256=699D8218779E636BA00D82EF8C079569E00266363D66FE9A504ED598F37359E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:50.550{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F8A-6323-7A0F-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:50.550{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:50.550{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:50.550{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:50.550{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:50.550{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-3F8A-6323-7A0F-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:50.550{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F8A-6323-7A0F-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:50.550{E743DC12-3F8A-6323-7A0F-000000007502}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:50.458{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B18C058A463A4C0AE7DAB3574C3128,SHA256=DF7A82CC8183E1B47A6B838FF234606B86F5EB4726DBD89127D3BD4593305B68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:50.033{E743DC12-3F89-6323-790F-000000007502}59004876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:51.985{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05C22B819A1F7B33809AFC60494BC3CF,SHA256=700452B7DC749A3E84B9952858E8310795E1A15D4C371F37D76BBE72CD658F80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:51.859{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12ED2A9E41ACF2707F71EB55B8FC3765,SHA256=FC5FBAC502BFF30891A31810F6FF833ACFA22BCE9C94FDE69009381BBB70FA50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.926{E743DC12-3F8B-6323-7C0F-000000007502}27402860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.725{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F8B-6323-7C0F-000000007502}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.725{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.725{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.725{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.725{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.725{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-3F8B-6323-7C0F-000000007502}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.725{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F8B-6323-7C0F-000000007502}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.727{E743DC12-3F8B-6323-7C0F-000000007502}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.570{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE4F110C4B360D649B6862115B8001C5,SHA256=FB3CAC1602FB0F68F1FA143CCD6574F38DDC736A1810FED2032A1212F19E7CB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:48.663{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65455-false10.0.1.12-8000- 10341000x8000000000000000168313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.234{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3F8B-6323-7B0F-000000007502}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.232{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.232{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.232{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.232{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.232{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3F8B-6323-7B0F-000000007502}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.231{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3F8B-6323-7B0F-000000007502}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:51.227{E743DC12-3F8B-6323-7B0F-000000007502}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:52.694{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8E9912CC18E46C3969F014345725E9,SHA256=5705317E3B41663C8087498AF642FEA8BCB26F8654F0BC137425AAD32CCF8E59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000168324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:48.945{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55332-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:53.782{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628A1A004E1BFD30CD9ED58C5B674020,SHA256=CA0AC795CE2709109F5125BC7A6BA944BC2D9C8211A9F30995E2FBF7E8076331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:53.324{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DDCD0880058B23551BDCC922C2F0086D,SHA256=2E3D614EE9AF1049A29307996485AB9C3E4EFEDD537A593CF2875E5B09D97636,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:53.167{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD076EF915EC754E0C4A04B0CF5785DB,SHA256=44DEB329B1F1418B4DA830228ADADB8CFECAE9A3E9F2FEB0EB645C4924C7DAF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:53.473{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-441MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:54.891{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCB6BB47EDA8E6E272C130885B56D22,SHA256=6AE368203795BB262D82BE3E7939C05037000D8FB926F5F4818170C773542FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:54.176{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A371DA412E407CF1931B287809AA52,SHA256=82F4F4A14EFBC536E2A48787651B002DFFE3B7D0B7A9A884A1DCAE26A566721B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:54.484{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-442MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:55.924{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED6EF84E7702F5BFFC21203FFD41B1E,SHA256=34261C01405C22F9D63B428D2BFDE5F376036E8C131788CDCBA841DFD0E4A9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:55.186{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C7AAFC59683FA85FAF45798615E4EB,SHA256=7BC918844EF02D1A5842AE5D043E0B72B87452D8CFF16DB9B565ADA432536222,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:56.399{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAD36A2B2BD1D70BF09EDDCD963BC2B,SHA256=038F7696CF6856E69FBE71CD2EE389CBD78D1C4C96555F78E81FE65E93D0A950,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000272782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:54.505{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65456-false10.0.1.12-8000- 23542300x8000000000000000272784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:57.509{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA85FB64D761C50D36A4798F3847D5D,SHA256=0909BE0D6CBC9A99832AC456412AC4F73122DCA9DD07EB3F3F7E79A9A793E7EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:57.994{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 354300x8000000000000000168336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:54.035{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55333-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000168335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:57.983{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:57.973{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:57.964{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:57.961{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000168331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:57.039{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7052943848B29C43F9C0074B90C2CC,SHA256=F3E06F1187117AE0E508E8E2A60A2CA073FE54846D5F2D013148B8BDA00BF4C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:58.821{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1239E3D2F6BB73B9B9460FEEEBCAB4,SHA256=C7B7B3C7D791A333393F4B9B78E18128D1CFCB2FCDDD02132C8F2BD3AF421D6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.327{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.323{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.320{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.318{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.316{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.297{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.296{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.294{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.293{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.290{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.287{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.282{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.273{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.269{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.247{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.234{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.217{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.184{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.177{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.164{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.158{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.152{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.150{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.148{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.147{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.137{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.134{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.133{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000168355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.132{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C8C12E64AC54D5E2155DD0948268FA,SHA256=BD402D34FA08EC3F1AAAE582B7E78113EB8118C55DDAB6AA75A95A5D64BED2CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.130{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.129{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.128{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.126{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.121{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.118{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.114{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.104{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.102{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.089{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.080{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.041{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.035{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.027{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.019{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.007{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:58.002{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000168384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:59.609{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41EED67888A3F086864627C80B12039B,SHA256=670C4E2B7CEF7A9B6D98ABC7B42D049DE2DB4215A8CAADD88E1CD2474272F061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:00.709{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD433EB7FE5C6290D4DFEF7151BAA6A,SHA256=C470A5A7B6D51FEFAFA4AA4171E9430A847B13CBBAE658048DFB5B8B85BEF3A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:00.135{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACB4CCFB89C275E0F6A425DCCF32857,SHA256=C1CEAED76B572189A10648D8B66A46AC719CF0E9FED211F24AA9F9A0F8A2A5EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.825{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C379BFFF651F555C0E1D518BC490DE,SHA256=61110B30EDBB2BF808949A39827FF93C27D107AA528774291EF9575613CC2D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:01.245{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC009EDEC5664F22C440D5EECB37370,SHA256=933C83A721E1BB9EFFF169631D2E9AEF35E0F74251E7D05DC532B87143E588A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000272787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:06:59.519{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65457-false10.0.1.12-8000- 10341000x8000000000000000168412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.358{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.358{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.358{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.358{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.358{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.358{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.358{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.358{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.358{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.357{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:01.356{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000168414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:02.886{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9623908F34ADE1E80C281A98D59DCC9F,SHA256=0BAB79E1967F028A1A227EF3773273E954D48B9D1E8C303606F312B46B8D01CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:02.251{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A203052EF3FC925C3D3BF56004261DAD,SHA256=E4CA2C177E66529203B348B4FE56469F98F2E709FFF3DF7AD0AACADE693FE4BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:03.927{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C15E1AC3C2537FD53827A0C8D5DC78,SHA256=E5E4D33EE838004780507C815713C74FE5251F8227816A6E814A6175AE2307B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:03.257{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122CB74E1008EE4F6A6C975DC8007C0D,SHA256=2742F164A1ADCAAED391EF32CCAA4D7D45B95B5A5F18F05915926A3525483D8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:06:59.986{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55334-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000272792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:04.407{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C9BD7D742DA96DBA40040D2623656EF,SHA256=6E8CB26DCD70EE8312E4003694122B18BE0E048316F8A7D63B436E6A853E0F53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:04.266{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D56A24D19FA9C6954C924EA9052BC1,SHA256=B7E738590F21145384E3EC9D6F5178A811A5413A4FE75EDA231D14EBD80DD081,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000272818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.749{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.748{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000272816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.386{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BA6EBEF18994656A6DD14D84B683EF,SHA256=454D31CB76740C51155BFA596768BCA9139EF3464681A4C15E4BC9F0DBC55D03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:05.042{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED270B1E0CDC8B3DD4482C4C431483FD,SHA256=6C90626BFA8DC4C59C46575C7843B74A61F9DFA4977E851503D885F79FB935FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.277{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.270{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.262{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.258{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.250{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.247{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.245{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.243{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.236{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.206{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.191{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.185{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 354300x8000000000000000272803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:02.723{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65458-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000272802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:02.723{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65458-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 10341000x8000000000000000272801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.178{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.169{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.160{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.147{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.140{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.130{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.117{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.071{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.068{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000272819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:06.394{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDAB885404C7E229F580AFD4BBE179C,SHA256=47BFA9B1E9B3B7AA796661359269DFC8DEDA9DF83B7A2FE50B7988DD4E9AFAA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:06.160{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524C95E832983E675AF9F2F6F21D64EF,SHA256=327C801AD1B9C7F19B9CADDECF7155327E386557D3C68012DC6291F00E0AAA95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:07.759{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:07.758{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:07.753{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:07.752{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000272820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:07.503{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED66AB66A2632367D5AD6F6080694FC,SHA256=4963F172B5315B9E4C9FB335F16CFA30EC6BFC2B5F4C238C0428C4EDE9B6B0CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:07.259{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5C632A2D05333B1477F210F1E951E3,SHA256=98690335A390E2AD5CC22037C695035AF64677FCBA78F60B7C2248114F18AA72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.553{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.550{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.548{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.545{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.544{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.520{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.516{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000168421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:08.387{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593B8816461D180D77CA01581F2A7CDF,SHA256=6A9B48D4DD3FD5A9C2CEA5E39131CB5065624064232734284D89CE6A560720E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.514{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.510{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.505{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.501{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.496{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.493{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.489{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.484{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.483{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.483{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.481{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.466{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.464{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.460{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.459{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.451{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.449{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.446{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.443{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.441{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.440{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.439{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 354300x8000000000000000272845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:05.476{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65459-false10.0.1.12-8000- 10341000x8000000000000000272844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.436{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.433{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.424{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.422{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.389{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.387{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.368{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.357{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.306{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.299{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.289{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.283{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.281{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.278{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.274{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.271{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.270{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.266{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.265{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000272825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:08.262{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 354300x8000000000000000168420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:05.033{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55335-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000272876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:09.653{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F66816D9A58F4BC4DF296E9D644B08D,SHA256=2CB396D9B7177550FA97D931D72616D1B7B4CF0DF1E00FBCC1FF7528C52CAFFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:09.510{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687125855C1DC51E8C6527442DCD2C6C,SHA256=5AF57302EDE2C9DF31F00BFC2A4CB3544F81666923DB1CD50D8081208622EBF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:09.105{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1890DEDD193FF7343988A4F1E6BA38BD,SHA256=19D4A09DDE74D6C1A67533CC9DB4F4EC10DCF27277D5145959DD7C9F1D56804C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:10.764{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F2CC116EE678E27FB5B3705F5DC965,SHA256=47DB2F820DCD37A4A39CA8010511EF0B71D0B826324134A247A2096D47440157,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:10.626{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1D3665CC036032E9AB860F334FC099,SHA256=50771750E943256A89158C6FD9EB39867EAC724ACEB5395FBBAAC8F8A54EB520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:11.875{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8701E949D878B92C37AA9AFE87392A6,SHA256=9A13306FEA82617E4CC6559B59A2564E614D248AFF98556ED5F356C9097A635D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:11.657{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7372B69E8D6B37C9DC2092C0820A0CA6,SHA256=D2609E781DC9263387BC08D534917BF45B8BD630CAAEEC8C6BC538F081EC82A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:11.127{6820D070-D2F0-6322-0D00-000000007402}9084416C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000168425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:12.792{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D307C50A61CB3E5584550591C1321F,SHA256=4A864A38606ADB4278DDFC2D1139BBF69716D43E4C09A6E6A2E0994844E603F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:10.670{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65460-false10.0.1.12-8000- 23542300x8000000000000000272880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:12.051{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-451MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:13.839{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523D1F1AB44958690AE3E40BB53FF218,SHA256=0E87736D1AF13580063B4F770887372145A608D3E2664F5DDCA9074792A231B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:13.189{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF4A1582BD917943C73F4BFFB8F1627,SHA256=19ABD170935663583FF68CA29A5D88E2A2EF0E2D20D20451100C053C8C1517F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:10.086{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55336-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000272882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:13.050{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-452MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:14.924{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37DFEB6DD396814947B451057441B04,SHA256=1564B2286262C6ABC9658FE80BB0F2C17FF9E64ADC001164594834AEC2CCB640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:14.501{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BC785ED63532177CC0D66B11C2417E,SHA256=E1BB9B3CC2DD58C0C882C66ACA2EE972785649235DC3D25E6F69FFAAA7AE91AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.857{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC17F34AC410C66E9F60469021C4D6A9,SHA256=7A265F68848DEA3FD50AE67623CD9ED36E128FE15F93F65CA707AAB1DD1CA379,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000272939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.761{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\AlternateServices-1.txt2022-09-15 15:07:15.760 23542300x8000000000000000272938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.761{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000272937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.760{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\AlternateServices-1.txt2022-09-15 15:07:15.760 10341000x8000000000000000272936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.668{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.668{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.668{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.667{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.667{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.667{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.667{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.667{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.667{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.667{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.666{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.665{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.664{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.664{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.664{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.613{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECB19D429D5C70ECBDC65CB5D4B7585,SHA256=856359B2756324E76BC26F6820CD89FF62E893BA48184FC46530750C91A95DD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000272888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.485{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txt2022-09-15 15:07:15.484 23542300x8000000000000000272887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.485{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000272886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.484{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txt2022-09-15 15:07:15.484 10341000x8000000000000000272885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:15.069{6820D070-D2F0-6322-0D00-000000007402}908652C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000272941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:16.840{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C65723A653772E974056B2E4F95166,SHA256=1915596AABC4E6E99776BB4F12EFCA22B346F29D1F189267DDEA00CA7AC58636,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:16.055{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C353496AF70252DA4955FCC0C9E5C4F,SHA256=F0E92F378A7BECBF60EA687B24CC701B06F6EF29ED14D2F2CFD2C913B205C256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:17.976{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000272942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:17.845{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABE4E86BF1DFD79CE2282D9D5FC1108,SHA256=2171BBD2B4114DC1EA89F542DE4CD51C2A0435F01E5A39C11D7DE8E866B6D0C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:17.989{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:17.979{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000168430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:17.184{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6214698EEB723D1A7CCA26EC43950C,SHA256=94E8964327ACBDBBB6B72855C96F2CEFE16517F29539272CCA79B216EFAB0A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.921{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213283737A77DD5912D26F26A908C0BC,SHA256=7F846B2B37B36F5CBE24DB8853D096BE90B2AA804EAF65A0A71AD6FEFA880F03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.918{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1EF98873F6A69A74AEEFADB650874C4,SHA256=1F41BDC7C5FA562E53E5158EB39954DA3666CFB5E4014E1B7CC6828A1F2785E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:15.983{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55337-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000168481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.449{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.446{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.444{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.441{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.439{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.421{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.420{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.419{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.415{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.412{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.409{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.405{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.395{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.392{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.371{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.352{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.342{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.306{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.297{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.286{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.281{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.278{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.275{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.271{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.270{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.266{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.262{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.261{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.258{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.257{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.254{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.251{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000168449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.245{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0587D6E6FE354253144EA58EA5E597,SHA256=27FDE3D2913FDDDA4843DAA0C719A08F2BE3DAE3AAD286BB22E0F4EFCBE92891,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.243{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.239{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.234{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.226{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.223{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.198{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.189{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 734700x8000000000000000273047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.821{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000273046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.821{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000273045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.820{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000273044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.819{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000273043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.817{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000273042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.817{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000273041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.817{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000273040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.816{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000273039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.810{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000273038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.809{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000273037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.808{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000273036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.808{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000273035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.808{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000273034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.807{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000273033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.807{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000273032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.807{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000273031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.807{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000273030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.807{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000273029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.807{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000273028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.807{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000273027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.806{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000273026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.806{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000273025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.806{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000273024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.806{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000273023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.806{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000273022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.806{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.805{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000273020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.805{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000273019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.805{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000273018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.805{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000273017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.805{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000273016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.805{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000273015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.805{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000273014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.805{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000273013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.805{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000273012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.804{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000273011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.804{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000273010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.804{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000273009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.804{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000273008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.803{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000273007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.802{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.802{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000273005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.802{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000273004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.801{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.801{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000273002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.801{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.801{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.800{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.800{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.800{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.800{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.799{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000272995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:16.582{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65461-false10.0.1.12-8000- 734700x8000000000000000272994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.351{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000272993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.347{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000272992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.346{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000272991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.158{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000272990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.157{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000272989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.156{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000272988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.156{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000272987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.155{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000272986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.154{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000272985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.154{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000272984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.146{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000272983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.146{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000272982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.146{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000272981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.146{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000272980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.146{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000272979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.145{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000272978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.145{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000272977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.145{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000272976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.145{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000272975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.145{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000272974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.143{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000272973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.143{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000272972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.143{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000272971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.143{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000272970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.142{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000272969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.142{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000272968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.142{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000272967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.142{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000272966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.140{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000272965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.140{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000272964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.140{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000272963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.140{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000272962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.140{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000272961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.139{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000272960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.139{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000272959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.139{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000272958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.138{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000272957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.138{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.138{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000272955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.137{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000272954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.137{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000272953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.136{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000272952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.136{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000272951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.136{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000272950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.135{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.135{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.135{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.135{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000272946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.135{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000272945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.134{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000272944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:18.132{6820D070-3FA6-6323-5E18-000000007402}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000168441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.154{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.144{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.129{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.114{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.084{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.070{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.051{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.040{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000168433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:18.006{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000168483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:19.769{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876D2095EA5B2DD33E7742F28E5EA47F,SHA256=3A38575AC893F178A5FD8C6E04F132CE4B99F32F1C4D600A4AF6F8DAE7D2D6EE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000273105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.676{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000273104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.675{6820D070-3FA7-6323-6018-000000007402}48406880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.675{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000273102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.674{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000273101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.493{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000273100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.493{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000273099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.492{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000273098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.492{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000273097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.490{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000273096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.490{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000273095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.489{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000273094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.489{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000273093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.483{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000273092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.482{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000273091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.482{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000273090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.481{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000273089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.477{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000273088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.476{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000273087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.476{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000273086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.476{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000273085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.476{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.476{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000273083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.476{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000273082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.476{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000273081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.476{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000273080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.476{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000273079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.475{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000273078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.475{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000273077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.475{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000273076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.475{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000273075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.475{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000273074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.475{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000273073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.475{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000273072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.475{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000273071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.474{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000273070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.474{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000273069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.474{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000273068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.474{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000273067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.474{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000273066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.473{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.472{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000273064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.472{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000273063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.471{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.471{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000273061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.471{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.471{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.470{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.470{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.470{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.470{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.469{6820D070-3FA7-6323-6018-000000007402}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.214{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01248DCBC4BAC7CEF52E2FB1CF6E0E4D,SHA256=8DAE49B075BE2208877A9DE3FAD1206CA9DFE0619CFE7BCE28DAEE563F9D1949,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.063{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1EC47E75F59B99BC4E22200C0C9C4957,SHA256=E9486B5930FD95481CB61379250C9E6A27B26C3DF76ED12D7C0825C473D3E0D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000273052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.035{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000273051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.033{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000273050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:19.033{6820D070-3FA6-6323-5F18-000000007402}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000168485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:20.886{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF04124FAA8CF10532699A0FF6698837,SHA256=6440C79DEAEB7CE506342303FD4F8F1B3C6046509E7DE25A371DA83B42683C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.880{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A6A4C5B86A3DE25DC09B259C8DC032,SHA256=87745045D4ABDDAF11FF4D901E35799B7FB3A03DD4A7C9B7C4BB74A5458265F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000273206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.775{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000273205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.775{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000273204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.774{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000273203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.774{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000273202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.772{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000273201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.772{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000273200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.771{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000273199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.771{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000273198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.770{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000273197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.762{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000273196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.761{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000273195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.761{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000273194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.761{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000273193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.761{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000273192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.761{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000273191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.761{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000273190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.761{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000273189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.760{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000273188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.760{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000273187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.760{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000273186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.760{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000273185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.760{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000273184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.760{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000273183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.759{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000273182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.759{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000273181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.759{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000273180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.759{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000273179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.758{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000273178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.758{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000273177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.758{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000273176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.758{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000273175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.757{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000273174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.757{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000273173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.757{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000273172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.757{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.757{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000273170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.756{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.753{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000273168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.753{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000273167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.752{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.752{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000273165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.751{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.751{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:20.358{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.751{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.751{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.750{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.750{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.749{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.743{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E76384C6546A992D16023106E1F30FE,SHA256=63B03A27337043213F19C3FCAE70E7B9ACC2FF739F82203BFE0A37349350CBDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000273157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:17.443{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65462-false10.0.1.12-8089- 734700x8000000000000000273156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.355{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000273155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.353{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000273154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.352{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000273153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.160{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000273152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.160{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000273151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.159{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000273150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.159{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000273149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.158{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000273148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.157{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000273147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.157{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000273146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.156{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000273145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.150{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000273144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.150{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000273143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.149{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000273142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.149{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000273141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.149{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000273140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.149{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000273139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.148{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000273138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.148{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000273137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.148{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000273136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.148{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.147{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000273134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.147{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000273133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.147{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000273132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.147{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000273131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.147{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000273130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.147{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000273129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.146{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000273128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.146{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000273127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.146{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000273126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.146{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000273125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.146{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000273124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.146{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000273123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.146{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000273122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.146{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000273121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.146{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000273120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.145{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000273119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.145{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000273118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.145{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000273117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.144{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.143{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000273115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.143{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000273114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.142{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.142{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000273112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.142{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.142{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.141{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.141{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.141{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.141{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:20.139{6820D070-3FA8-6323-6118-000000007402}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:21.809{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=6C295A8BC00F83AE15BEB5572CBE1CCF,SHA256=C40D6FA2ACBDA216190A733C0E7B803B2E7B089D37609CD68E42DDDCF5AFC29D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:21.386{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=86C9ADD6C3DB0D5D0EA7C2C4CD57D76B,SHA256=C6439A876772BC6BB92720A053241EAF12810A729EBB2D1AD6D0D5660DEF9E9B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000273263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.750{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000273262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.750{6820D070-3FA9-6323-6318-000000007402}65207008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.742{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000273260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.741{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000273259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.547{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000273258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.547{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000273257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.546{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000273256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.545{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000273255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.544{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000273254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.543{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000273253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.543{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000273252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.543{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000273251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.534{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000273250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.534{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000273249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.533{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000273248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.533{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000273247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.533{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000273246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.533{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000273245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.532{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000273244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.532{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000273243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.532{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000273242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.532{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.532{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000273240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.532{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000273239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.532{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000273238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.532{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000273237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.531{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000273236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.531{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000273235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.531{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000273234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.531{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000273233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.531{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000273232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.531{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000273231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.531{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000273230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.531{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000273229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.530{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000273228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.530{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000273227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.530{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000273226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.530{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000273225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.530{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000273224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.530{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000273223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.529{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.528{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66212A932940B61EA03569736C5E72D,SHA256=A31BD31068E17A7E327ED03E9FDEF5C66CB5AE7233EA02FBA2605D062E59E13A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000273221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.528{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000273220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.527{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000273219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.527{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.526{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000273217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.526{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.526{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.526{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.526{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.525{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.525{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.524{6820D070-3FA9-6323-6318-000000007402}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.013{6820D070-3FA8-6323-6218-000000007402}68447488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.013{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000273208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.012{6820D070-3FA8-6323-6218-000000007402}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000273316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.703{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0070D84627D27C40E289C1C6FB440E7C,SHA256=A6E2E582F4004B6FED01C0DF7CC0479722E8611B62B5B9B76D91B3A451C688C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:22.486{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:22.025{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED3999AE08BC1D030408D81E1B0E00F,SHA256=DD0A31D6653A588B3B2AE703B9BEC36D3699FE4827ADDA9CE16CD4BFAFE1401B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000273315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.243{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000273314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.243{6820D070-3FAA-6323-6418-000000007402}35247924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.242{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000273312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.241{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000273311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.182{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D358AD5D358D8DF2A85038B4871F22F,SHA256=2C44EE459592B2C83ED5E225E44D62A799EC445C92461FAE26CA32F9009D129D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000273310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.065{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000273309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.065{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000273308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.065{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000273307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.064{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000273306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.062{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000273305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.062{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000273304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.062{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000273303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.061{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000273302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.056{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000273301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.055{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000273300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.055{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000273299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.055{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000273298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.055{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000273297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.054{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000273296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.054{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.054{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000273294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.054{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000273293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.054{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000273292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.053{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000273291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.053{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000273290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.053{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000273289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.053{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000273288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.053{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000273287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.053{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000273286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.053{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000273285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.052{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000273284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.052{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000273283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.052{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000273282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.052{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000273281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.052{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000273280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.052{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000273279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.052{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000273278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.052{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000273277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.052{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000273276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.051{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000273275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.051{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.050{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000273273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.050{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000273272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.049{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.049{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000273270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.049{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.049{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.048{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.048{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.048{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.048{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:22.047{6820D070-3FAA-6323-6418-000000007402}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:23.751{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC1AE3865E118D5C1471D5093486EB7,SHA256=41B47941345073DCE5258243557B5CF587C01EF7409E2F01AACAD54372116514,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:21.005{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55338-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:23.162{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AAD91D3A15A4C0CF19B85BA38A16EA3,SHA256=F762A26D7FF32990BB3F6F951AD0E2E5C7162A5D559598EED6957148F81456BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:23.554{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4AE8B3A7955F70E483CA2E8DEB39BD26,SHA256=F78C2BC2EB1BAFB064745C76D70271FDCBCC78506A23CEDA64B65B3BBDED12E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:24.957{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705CFBF09DA69C63FB0391D3074367FA,SHA256=0FC7F175459BDE7E4461EE9B04C95D39E8C93964ECC372698EAE4758AA4EC6D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:21.309{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55339-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000168492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:24.256{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB1AD9AAEE6B7DCABE0E16A33703333,SHA256=88E5FA93A97A71D043E6E80D4103E702B366BBFE97EFB966529A3A1EA365153F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:21.718{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65463-false10.0.1.12-8000- 23542300x8000000000000000168494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:25.356{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460830352A9B50BE42F3D7BE958B90C5,SHA256=3256259D14B06B3D8EC1446FE1383DB4DA8C731BE5959832519A513A54D39257,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.731{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.730{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.283{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.275{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.264{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.260{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.253{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.249{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.245{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.244{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.235{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.210{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.188{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.182{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.166{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.159{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.146{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.134{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.127{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.117{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.108{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.104{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.104{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.069{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:25.066{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:26.415{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:26.415{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:26.274{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FE262CE39A650963B03A80ABB520CC,SHA256=6ADECD0B121A85CA0935B0E215580DA867AAB3399431C0945B94CBA59F714FA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:26.454{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4B908BC33E038E963D0B4792BE1C69,SHA256=78EED3CA7A143E435EE6E077AF87D3CFF069A0FA0743FAE2EF3CA93CC96B8FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:27.589{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3036A55F7D2D940AA8796C256696374,SHA256=2C6CB39C8B7AFCA4C339D8B7AC14428B0BF09FD953FA694B5EE96F0AFCDA1D90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:27.746{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:27.744{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:27.737{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:27.735{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000273349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:27.385{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC7876169EF631C1EB294465992F223,SHA256=A1438111A19FD04B632DACA5D209307CA571F8DDC5504B0551FA64DDFF5FAF46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:28.735{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72AC45BBA16CE12CA8A7FA70F7A6D6D,SHA256=2F933187C45BFD37E6D40D27D329D042ECAEF72F1F1EF0341073BAF99C8B66B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.597{6820D070-DD04-6322-7906-000000007402}26568088C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.577{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.577{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.561{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=9A8C47F49D652BEEA4984B646D0F0241,SHA256=BCAC129F534E8AAADCA3FC8B3D087FFD0DD947F1C602A12972E6783C49821B3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.559{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000273403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.553{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.550{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.547{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.541{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.540{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.498{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.495{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.493{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.490{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.488{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.480{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.473{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.466{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.462{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.459{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.458{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.457{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.456{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.443{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.442{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.440{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.438{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.428{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.427{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.424{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.422{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.419{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.418{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.417{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.414{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.410{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000273372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.409{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1D9443893AC9888C568EE00970C100,SHA256=E8F4D96CE99FFF2CCF6EE5ED6DB6B7F667740253A7876C652B06557E887C3BCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000273371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.399{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.399{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.370{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.368{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.349{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.340{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.292{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.285{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.275{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.271{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.269{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.267{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.263{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.261{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.260{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.256{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.255{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000273354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:28.252{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 354300x8000000000000000168499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:26.986{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55340-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:29.781{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A4311015C55B5F2CC05EC28626B548,SHA256=EC1D0BFB968E63F2B2325619E496612B145AEB46B43558C91217981E4DE5DC33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:29.850{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69A1F2721E7335C02568709B2DA4860,SHA256=E1855D691E0D3C838351CB70CB4E4FB7A0FC7B2EEFFEBB73F9953DE09675BB81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000273409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:27.568{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65464-false10.0.1.12-8000- 23542300x8000000000000000168500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:30.903{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F155012FE6B086A844425A0F61DD977,SHA256=EF34F3572F16EB7B011F856C4898C49EFF4B07EBE2F62A2B3CE5DDA0B01C8636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.540{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BFF2D7C184F43E290BEFC39C9E82E8,SHA256=52554E91FCD3534D70D7A274106F9344A8EAF6E22E024F5E72AAE23C31568DD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:31.962{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67AAF809F8A525C806D45C1220A487E,SHA256=2FAA34AFB0C15020B7CE50E890B327B69DE4B639BB983F270AE4534CCCD53CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:31.653{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B57D3D7EEE90E5D6858269B61C3D508,SHA256=8AD1564BABB822894F6959EA3BCAA621957C87085996F58777DD1B0B62DE01D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000273415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:31.508{6820D070-D2F0-6322-1000-000000007402}1081608C:\Windows\system32\svchost.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:31.468{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:31.463{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e76f08|C:\Program Files\Mozilla Firefox\xul.dll+e65430|C:\Program Files\Mozilla Firefox\xul.dll+42b8d36|C:\Program Files\Mozilla Firefox\xul.dll+2412b58|C:\Program Files\Mozilla Firefox\xul.dll+9b8b70|C:\Program Files\Mozilla Firefox\xul.dll+9707a1|C:\Program Files\Mozilla Firefox\xul.dll+1810d8|C:\Program Files\Mozilla Firefox\xul.dll+9bc4e5|C:\Program Files\Mozilla Firefox\xul.dll+443ab06|C:\Program Files\Mozilla Firefox\xul.dll+97c5dc|C:\Program Files\Mozilla Firefox\xul.dll+989894|C:\Program Files\Mozilla Firefox\xul.dll+988758|C:\Program Files\Mozilla Firefox\xul.dll+8b5b12|C:\Program Files\Mozilla Firefox\xul.dll+8363f7|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e 23542300x8000000000000000273412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:31.323{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=233F618A9AB4D0F238B629163C087769,SHA256=0E2999F2C00E78EF95CF441908BD73E3FBF31E9E8FF6B9838187B13EB7A790D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.914{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60FCF81E1E64F3358EA9D5B5CA316CD,SHA256=77BC8D7DCFE75DE7D113FF4DC47A98A5CD41056EBCC4C20219EE3CC52836295C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.913{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E029939602B7053120FA49AC3EFFDFFD,SHA256=7E9F645627BD9EE6C47922D7E54CF8E50CD06A6BE1665F17A9970B71DB6CFEB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000273543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:31.023{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65467-false20.50.80.210-443https 354300x8000000000000000273542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:31.007{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65466-false20.50.80.210-443https 354300x8000000000000000273541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.977{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59184- 354300x8000000000000000273540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.976{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local51025-false142.250.191.195ord38s31-in-f3.1e100.net443https 354300x8000000000000000273539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.974{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58185- 10341000x8000000000000000273538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.660{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000273537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.660{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000273536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.660{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000273535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.659{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000273534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.659{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000273533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.659{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 22542200x8000000000000000273532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.618{6820D070-EFF0-6322-ED08-000000007402}4396onedscolprdneu05.northeurope.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000273531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.617{6820D070-EFF0-6322-ED08-000000007402}4396onedscolprdneu05.northeurope.cloudapp.azure.com020.50.80.210;C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000273530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.554{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000273529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.553{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x8000000000000000273528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.550{6820D070-D2F0-6322-1000-000000007402}1081608C:\Windows\system32\svchost.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.548{6820D070-D2F0-6322-1000-000000007402}1081608C:\Windows\system32\svchost.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.545{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000273525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.544{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000273524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.543{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000273523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.540{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000273522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.539{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.539{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.538{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000273519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.537{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000273518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.535{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000273517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.535{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000273516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.534{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000273515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.534{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000273514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.534{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x8000000000000000273513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:07:32.530{6820D070-EFF0-6322-ED08-000000007402}4396\LOCAL\cubeb-pipe-4396-81C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000273512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 15:07:32.530{6820D070-EFF0-6322-ED08-000000007402}4396\LOCAL\cubeb-pipe-4396-81C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000273511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.528{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000273510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.528{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000273509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.527{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000273508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.513{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.512{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000273506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.511{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x8000000000000000273505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:07:32.510{6820D070-EFF0-6322-ED08-000000007402}4396\gecko.4396.1572.12375914406616698080C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000273504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 15:07:32.510{6820D070-EFF0-6322-ED08-000000007402}4396\gecko.4396.1572.12375914406616698080C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000273503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.510{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000273502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.509{6820D070-EFF0-6322-ED08-000000007402}43961572C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000273501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:07:32.509{6820D070-EFF0-6322-ED08-000000007402}4396\chrome.4396.84.38924224C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000273500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.505{6820D070-EFF0-6322-ED08-000000007402}43963484C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000273499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:07:32.505{6820D070-EFF0-6322-ED08-000000007402}4396\gecko-crash-server-pipe.4396C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000273498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.949{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local51024- 354300x8000000000000000273497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.948{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local51713- 354300x8000000000000000273496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.946{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52571- 354300x8000000000000000273495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.923{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59646- 354300x8000000000000000273494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.201{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65465-false20.50.80.210-443https 354300x8000000000000000273493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.124{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65479- 354300x8000000000000000273492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.124{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62552- 354300x8000000000000000273491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.122{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58270- 354300x8000000000000000273490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.053{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59625- 354300x8000000000000000273489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:30.052{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63595- 734700x8000000000000000273488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.499{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000273487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.498{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000273486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.498{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000273485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.498{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000273484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.497{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000273483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.497{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000273482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.497{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000273481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.496{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000273480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.496{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000273479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.496{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000273478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.495{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000273477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.494{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000273476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.494{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000273475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.493{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000273474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.493{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000273473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.493{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000273472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.493{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000273471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.491{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000273470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.491{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000273469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.490{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000273468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.490{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.490{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000273466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.489{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000273465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.489{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000273464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.487{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000273463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.486{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000273462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.486{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000273461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.485{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000273460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.485{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000273459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.485{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 23542300x8000000000000000273458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.484{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\permissions.sqlite-journalMD5=E7B152C687FE276EAF636113FCFFA87E,SHA256=67B867C938B31073DCA980806870B0D68C970797F3AD2FBE1FF8A649403ED8F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000273457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.484{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000273456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.483{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000273455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.482{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000273454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.481{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+e75602|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.481{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.481{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000273451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.481{6820D070-EFF0-6322-ED08-000000007402}43961572C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.474{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.474{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.473{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.473{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.473{6820D070-DD00-6322-5E06-000000007402}34204672C:\Windows\system32\csrss.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.472{6820D070-EFF0-6322-ED08-000000007402}43961208C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.472{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4396.84.389242240\630633758" -childID 82 -isForBrowser -prefsHandle 7336 -prefMapHandle 7296 -prefsLen 34176 -prefMapSize 229452 -jsInitHandle 1016 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4396 "\\.\pipe\gecko-crash-server-pipe.4396" 9148 184fcb99548 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-DD02-6322-1C5A-600000000000}0x605a1c2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000273443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.470{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.470{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.470{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.470{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.469{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.469{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.469{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.469{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.469{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.468{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.468{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.468{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.468{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.468{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.468{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.468{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.468{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.467{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.467{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.467{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.467{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.467{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.467{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.467{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.466{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.466{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000273417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 15:07:32.464{6820D070-EFF0-6322-ED08-000000007402}4396\chrome.4396.84.38924224C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000273552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:33.827{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6C31C22EB6E7F4A151793E1CDB681D,SHA256=ABABF4C9DFBF914B2AB7B9C8C581E1C32E1A59765E9178345CD67D77F1DD0C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:33.081{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EF8D02D89466AAC9C0B44211BA735F,SHA256=EB11DF2DA7C7FF712CB262EF2CF10CF34CFCB8C1E063847F784D1336308BCB89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:33.554{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1619713714E7F969033CBEB26A3C7A4A,SHA256=08CCB5AA865573C92E204C733037202668004CD4D0BCD43C54E21B918CB9F34D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000273550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:31.828{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58252- 354300x8000000000000000273549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:31.730{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local57775-false172.217.5.2ord38s19-in-f2.1e100.net443https 354300x8000000000000000273548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:31.729{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local50608- 354300x8000000000000000273547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:31.729{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local49790- 354300x8000000000000000273546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:31.658{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58213- 23542300x8000000000000000273554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:34.835{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76CBF3A6CEA04D2FFD991108AFCCEE2B,SHA256=DB52FBBB6756900DB54E054A8E91CD2186532BD7260A3FAFE614D169EDF0A26A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:34.219{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E65FF670414C6B6FB02C3DF2355F432,SHA256=447B67549E7B608083853F47047713B045DFD5B226C6A68B52EACFB7FDAC61E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:32.612{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65468-false10.0.1.12-8000- 23542300x8000000000000000273555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:35.946{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D082D8A2F6042115F567372C8F85A0C8,SHA256=F1E5F95EC4AC62FDC84F24FA88F196CD77CDF043D4F6EE35F9E7BBE8AD472876,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:32.949{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55341-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:35.352{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1062EFF00C0BB98B6762F717B4EF3F2A,SHA256=3563516BB879715C846CB8001CF6F620FE398F377739E03BF6822C7A2389AA04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:36.452{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26AD7237B0B9291DEC31F03117B254E4,SHA256=9D532B67ED86341FFD50D2CF24CD33332468DD15A92637E6D8420F091A17F42C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:36.783{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000273558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:36.782{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:36.782{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1a900a8.TMPMD5=AE83E3D1BED7E22F099EC37882555B7F,SHA256=19C20C1DAA5B1C1F7E9A0561569A10ABB7DBF1B544D26F74C2B5990D9C688508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:36.457{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\23260MD5=C08DD748649EB92775E396DE59D21026,SHA256=C442528770F72B73D2927EC42D2E4498EB70CC0DD6EB34EEA58D7338DB529CC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:37.991{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:37.979{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 23542300x8000000000000000168507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:37.578{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8428B3C78F742CFDCBB6CF4AFAEF29,SHA256=26477000ED59B0A50DCCA85F99D0139C0F8A06F3AFFB6F684E857302697ABB8C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000273563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:37.679{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 23542300x8000000000000000273562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:37.161{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5A26A54D68D59F42F7FAE53CD9ACF3,SHA256=66F7C59CFF9BC73974D3289BCA7F2C0E5410E0E5949A0A2380B442495FF7CBFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:37.024{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=943FDAACF57ED4A87ED8FB28D774FB6E,SHA256=D69D3D8BD2288B0C42F024412703E2EA26F5A69CEFF5A1C48A0F3639E29D211E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:37.015{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\default\https+++www.google.com\ls\usageMD5=FA521E311F5AA7834765484883C5DBC8,SHA256=E0D2A6E8BC6556F27B84ECB926F1BC6EECD03B36ABEA15B812F6FD43C45524BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.941{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FDCF6B2F52A6DC20E37BEDE1EC2A3B7,SHA256=B928A101562776AAA9F223934109BDDEB7BBDD8F095DF9E2418AABE2233B27C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.941{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B08198CF0604414C1DEE733F673C0FB,SHA256=09E5B10BE39558BDEE1CB422E0605443EF605D266D3DCEB035EB59CD36F7FCA6,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000273567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:37.407{6820D070-EFF0-6322-ED08-000000007402}4396plus.l.google.com02607:f8b0:4009:814::200e;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000273566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:38.534{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\permissions.sqlite-journalMD5=7EA4077EE87FC77D480B5122DD65D401,SHA256=D7AD43843CEEF85E972D514A8A7517D596E17122624F591BD8106A81401F722A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000273565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:36.909{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64363- 23542300x8000000000000000273564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:38.272{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E0431CDED3CB8F917BFD8BAAC8F6E7,SHA256=48E8C19F76ED3EA23EEB0CA1F850BB2539C801DEE5597454B07B0D59E03EA577,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.375{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.373{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.370{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.367{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.364{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.350{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.349{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.348{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.344{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.341{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.338{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.335{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.327{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.323{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.295{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.280{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.272{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.237{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.230{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.219{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.213{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.211{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.208{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.206{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.205{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.200{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.197{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.196{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.193{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.191{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.190{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.187{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.180{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.175{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.168{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.156{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.153{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.129{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.117{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.085{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.079{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.071{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.062{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.051{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.046{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.038{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.026{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000168510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.016{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 354300x8000000000000000273578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:38.123{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65470-false23.11.7.183a23-11-7-183.deploy.static.akamaitechnologies.com443https 354300x8000000000000000273577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:38.100{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local50156- 354300x8000000000000000273576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:38.079{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local50252- 22542200x8000000000000000273575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:38.617{6820D070-EFF0-6322-ED08-000000007402}4396e13630.dscb.akamaiedge.net02600:1408:c400:783::353e;2600:1408:c400:78b::353e;C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000273574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:39.432{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 734700x8000000000000000273573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:39.431{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D92AABEAF72AB2FB3B2E2F911477039E,SHA256=300FEBB1EFE1EECA4F535A828104A8F4AEF8FC4785A0456B2D8DA76E7EDAFC96,IMPHASH=0280A5811869EFED56B453A140477D51trueMicrosoft WindowsValid 10341000x8000000000000000273572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:39.421{6820D070-D2F0-6322-1000-000000007402}1081608C:\Windows\system32\svchost.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:39.286{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0181DF980FF824569D355637385591ED,SHA256=9D53B68AC4930484CA30D064C530CDC6694E9B2817FEF2ADAD3657EC48A34CFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000168569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:07:39.614{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000168568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:07:39.614{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x019fbe6b) 13241300x8000000000000000168567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:07:39.614{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c90c-0x83871ec8) 13241300x8000000000000000168566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:07:39.614{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c914-0xe54b86c8) 13241300x8000000000000000168565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:07:39.614{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c91d-0x470feec8) 13241300x8000000000000000168564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:07:39.614{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000168563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:07:39.614{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x019fbe6b) 13241300x8000000000000000168562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:07:39.614{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c90c-0x83871ec8) 13241300x8000000000000000168561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:07:39.614{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c914-0xe54b86c8) 13241300x8000000000000000168560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:07:39.614{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c91d-0x470feec8) 354300x8000000000000000273570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:37.718{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65469-false10.0.1.12-8000- 10341000x8000000000000000273569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:39.168{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:39.161{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e76f08|C:\Program Files\Mozilla Firefox\xul.dll+e65430|C:\Program Files\Mozilla Firefox\xul.dll+42b8d36|C:\Program Files\Mozilla Firefox\xul.dll+2412b58|C:\Program Files\Mozilla Firefox\xul.dll+9b8b70|C:\Program Files\Mozilla Firefox\xul.dll+9707a1|C:\Program Files\Mozilla Firefox\xul.dll+1810d8|C:\Program Files\Mozilla Firefox\xul.dll+9bc4e5|C:\Program Files\Mozilla Firefox\xul.dll+97c5dc|C:\Program Files\Mozilla Firefox\xul.dll+97f821|C:\Program Files\Mozilla Firefox\xul.dll+97e4db|C:\Program Files\Mozilla Firefox\xul.dll+97d705|C:\Program Files\Mozilla Firefox\xul.dll+988af0|C:\Program Files\Mozilla Firefox\xul.dll+8b5b12|C:\Program Files\Mozilla Firefox\xul.dll+83635f|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb 10341000x8000000000000000273699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.868{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000273698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.868{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000273697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.868{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000273696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.867{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000273695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.867{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000273694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.867{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 354300x8000000000000000273693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:39.135{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65473-false20.110.81.91-443https 354300x8000000000000000273692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:39.103{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61602- 354300x8000000000000000273691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:38.701{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65472-false13.107.246.40-443https 354300x8000000000000000273690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:38.700{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65471-false13.107.213.40-443https 354300x8000000000000000273689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:38.678{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61975- 22542200x8000000000000000273688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:39.175{6820D070-EFF0-6322-ED08-000000007402}4396part-0012.t-0009.t-msedge.net02620:1ec:bdf::40;2620:1ec:46::40;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000273687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.558{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0522F87D658C3CE58EE5AFAEAD5C6204,SHA256=CA5DD8C5DD9A3DF1A5514EA86E8A0214CD066D12ED69290C33417EAE976D1702,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.553{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9730621AA4422EF025F394D5F082AB71,SHA256=66F807EB8B0CA23E18A33C32F34F36A6C045C64393E16C17EB75604FE4F0A290,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:40.249{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0E08307C77AC46CA51B582B0D8982FED,SHA256=60F40FAB5D6A9CD6B433E06DF28876A970115C0DAE4685A5A0CFD75ED9E48A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:40.053{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280B8DC8305AA58042129DAFE861FEA2,SHA256=533FAD887B31A4B846B277D15AA549B63285F1F726CC60A6D290815E4247EA5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:38.675{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52107- 354300x8000000000000000273684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:38.671{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59300- 354300x8000000000000000273683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:38.670{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63328- 734700x8000000000000000273682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.264{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000273681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.263{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x8000000000000000273680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.260{6820D070-D2F0-6322-1000-000000007402}1081608C:\Windows\system32\svchost.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.259{6820D070-D2F0-6322-1000-000000007402}1081608C:\Windows\system32\svchost.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.256{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000273677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.254{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000273676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.254{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000273675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.250{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 23542300x8000000000000000273674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.250{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\permissions.sqlite-journalMD5=89C26744314184E5F1D3A70FAFA190C3,SHA256=FAE006FC9B67389BD0C61F182E09D2D0BAB98D535497B19DBE4CF6F53DC7DBDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000273673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.249{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.249{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.249{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000273670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.247{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000273669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.245{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000273668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.244{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000273667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.244{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000273666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.244{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000273665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.243{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x8000000000000000273664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:07:40.239{6820D070-EFF0-6322-ED08-000000007402}4396\LOCAL\cubeb-pipe-4396-82C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000273663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 15:07:40.239{6820D070-EFF0-6322-ED08-000000007402}4396\LOCAL\cubeb-pipe-4396-82C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000273662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.237{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000273661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.237{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000273660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.236{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000273659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.213{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.212{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000273657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.210{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x8000000000000000273656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:07:40.209{6820D070-EFF0-6322-ED08-000000007402}4396\gecko.4396.1572.763118700386143373C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000273655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 15:07:40.209{6820D070-EFF0-6322-ED08-000000007402}4396\gecko.4396.1572.763118700386143373C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000273654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.209{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000273653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.208{6820D070-EFF0-6322-ED08-000000007402}43961572C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000273652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:07:40.208{6820D070-EFF0-6322-ED08-000000007402}4396\chrome.4396.85.199304231C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000273651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.203{6820D070-EFF0-6322-ED08-000000007402}43963484C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000273650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 15:07:40.203{6820D070-EFF0-6322-ED08-000000007402}4396\gecko-crash-server-pipe.4396C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000273649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.198{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000273648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.198{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000273647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.197{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000273646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.197{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000273645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.197{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000273644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.196{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000273643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.196{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000273642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.196{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000273641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.195{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000273640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.195{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000273639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.194{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000273638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.193{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000273637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.193{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000273636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.193{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000273635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.192{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000273634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.192{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000273633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.192{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000273632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.191{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000273631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.190{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000273630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.190{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000273629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.189{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.189{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000273627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.188{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000273626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.187{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000273625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.186{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000273624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.185{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000273623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.184{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000273622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.184{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000273621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.184{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000273620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.183{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000273619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.182{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000273618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.180{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000273617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.180{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000273616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.179{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000273615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.179{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+e75602|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000273614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.179{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000273613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.179{6820D070-EFF0-6322-ED08-000000007402}43961572C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.172{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.172{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.172{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.171{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.171{6820D070-DD00-6322-5E06-000000007402}34204136C:\Windows\system32\csrss.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.171{6820D070-EFF0-6322-ED08-000000007402}43961208C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.170{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4396.85.1993042314\964823292" -childID 83 -isForBrowser -prefsHandle 7756 -prefMapHandle 6388 -prefsLen 34176 -prefMapSize 229452 -jsInitHandle 1016 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 4396 "\\.\pipe\gecko-crash-server-pipe.4396" 7644 184f8dd5648 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-DD02-6322-1C5A-600000000000}0x605a1c2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000273605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.169{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.169{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.169{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.169{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.169{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.168{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.168{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.168{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.168{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.167{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.167{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.167{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.167{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.167{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.167{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.166{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.166{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.166{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.166{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.166{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.166{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.165{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.165{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.165{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.165{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.164{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000273579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 15:07:40.163{6820D070-EFF0-6322-ED08-000000007402}4396\chrome.4396.85.199304231C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000273704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:39.995{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61236- 22542200x8000000000000000273703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.490{6820D070-EFF0-6322-ED08-000000007402}4396onedscolprdcus06.centralus.cloudapp.azure.com013.89.179.8;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000273702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:41.664{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C87D6F38D60874E1D8FF7B22ABCA4AC,SHA256=0361D7D059455893786BD57998C04FEBAFF3FF69A765782337FCE86AEF9897B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:41.629{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\31021MD5=4A5EDFA7A37DEE252115B88B31AA17E2,SHA256=40D1E524BCE49B4A1F0B1E5864470C2873B0B2E29278EAAF733DFDA5E53F9F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:41.077{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C06A37838D7F0AB9AC70ECA69AE14B,SHA256=C06AEE33DF8C1941E828BB05E9216D06561655C618E8D232AE6AA0E6606131E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:41.212{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AB42CD287665559E73A54EE22D54BA1,SHA256=4C983E49E5A526505EC2EDE3F41DE8775596712EDE6639B50ADAD15D028EE882,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:42.777{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A32539EAE908D920048D1704D2E694D,SHA256=1D852F9DDA5BF7B8677FD1441848E495E42877F34DA514F7A87E9728A3E76233,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x8000000000000000273707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:40.492{6820D070-EFF0-6322-ED08-000000007402}4396onedscolprdcus06.centralus.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000168574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:42.200{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C21A6A13CB1ACAFB98136C0241D45EE,SHA256=68F9CB99186082DCFAE59B09AFF17F2463F044B63538FCCADBE218896F8A2A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:42.373{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=117E6A3AB48E43D1BCB0B6D1E5C82F73,SHA256=258A82EE43D0933A2506CD0875A7CE71FA82B17429E4E4A7F95E40817144BC1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:42.360{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\default\https+++www.google.com\ls\usageMD5=DC84272E5C1D6311D46038FDC346F065,SHA256=4F57A912D691E839712BDBECFC093570103F8E810A1092AE6523AF8B6C6A45BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:38.877{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55342-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000273711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:43.800{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C44B5D28B0A8104695ACE1021EF6937C,SHA256=AF21DDD76E6471941EB68C45E26C8B131B37308F8C8870D03CBBC4CB08415F71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:43.231{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6327110049005E570883E901E06246C,SHA256=0A1D0153F72283AB65C600DCBE98DD498E1F2D8A89F0ED713EFB78D3705ACEDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:39.998{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62144- 354300x8000000000000000273709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:39.997{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59179- 23542300x8000000000000000168576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:44.284{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625B2BBF61A56A0472E1E9DB98EB6EDE,SHA256=CC8320B565ECB114324E78C2186FB4CA63F2D930E0542B34542E2EB282AF1EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:45.314{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E332F85910C3279412CD255405AEF26,SHA256=14F128CC00EBB9921E48A73A1B752511A854FA4D158BB499D8110A4EA795CB41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.825{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.822{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.328{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.321{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.314{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.310{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.303{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.301{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.297{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.295{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.288{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.259{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.248{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.238{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.235{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.228{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.220{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.209{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.195{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.175{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.167{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000273715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.105{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A082D5347905529437B68A88853240,SHA256=D6369FD91B3AA4DDD618DF1869AC435C1D5841D320375117600A35F68168CC39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000273714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.097{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:45.094{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 354300x8000000000000000273712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:42.722{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65474-false10.0.1.12-8000- 23542300x8000000000000000168578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:46.347{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F0011746439C14DF1FCFED91424719,SHA256=EC6FF9F56DF1113BCBECBCD729B9C028B8269768B9A362A797641619EEDF57B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:46.123{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D0BF3E4800B417D52428B37F1F6057,SHA256=D8E469F418DBC9F49DE7A31B6F8A0E766E9B344EFDF7C0A6CBEC1F5F8181FBE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000273738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:43.713{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60062- 354300x8000000000000000273737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:43.712{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64121- 10341000x8000000000000000168588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:47.852{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3FC3-6323-7D0F-000000007502}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:47.850{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:47.850{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:47.850{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:47.850{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:47.849{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-3FC3-6323-7D0F-000000007502}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:47.849{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3FC3-6323-7D0F-000000007502}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:47.847{E743DC12-3FC3-6323-7D0F-000000007502}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:47.474{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E64C09082A51B422FF9818FABEC283,SHA256=B7345EAE62122C61A7AC9000926E026621A92FF041D2249C68D2B1EEB3039CD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:47.840{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:47.838{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:47.832{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:47.830{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 734700x8000000000000000273750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:47.732{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000273749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:47.730{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000273748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:47.729{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000273747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:47.727{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000273746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:47.725{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000273745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:47.725{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000273744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:47.723{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:47.307{6820D070-3DA5-6323-1A18-000000007402}3300ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exeC:\Users\Administrator\AppData\Roaming\smtp4dev\database.db-walMD5=CC4491BA37E8F6E94D9A2C4002FECD2A,SHA256=2892BCAFC172785F5E5BBB2661C7C4A359B0709DCA39DC22BB0C41216FB0B93D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:47.305{6820D070-3DA5-6323-1A18-000000007402}3300ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exeC:\Users\Administrator\AppData\Roaming\smtp4dev\database.db-shmMD5=C3376325AAC6FF018D570922113FE71D,SHA256=864ED7FB7FC83452407FC69B90D486D9863F4CB994F72A4FCAB0BE7293E6E2E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000273741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:43.727{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61849- 23542300x8000000000000000273740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:47.132{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC72237836C834FED16204D7B0855A3,SHA256=B9617BBEB60D105F42C69C84286DB1F96161BC7BE0CDB102FB9040852E6696C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:43.891{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55343-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:48.930{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4D95030F1F9C410BEF442FC6D779FF2F,SHA256=C0144C236B22141B203EA67FFBE2C930B984408CE5FB8AA90917C7570D1C732A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:48.854{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3D87C22369AC13C5ECE06C5D946B809,SHA256=5C20777756AA7F29A3EABFBD8368F3A139A406075D6B6000B477939006A6AFFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:48.528{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3FC4-6323-7E0F-000000007502}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:48.528{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:48.528{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:48.528{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:48.528{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:48.528{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-3FC4-6323-7E0F-000000007502}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:48.528{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3FC4-6323-7E0F-000000007502}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:48.529{E743DC12-3FC4-6323-7E0F-000000007502}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:48.512{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E816C6A009FDA109621BA5073FE51DF1,SHA256=4BB2182EBA0F41F33CC6825BF86A539BFAC9DCE127768204A6C36C44650ACFAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.763{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=AFE2E12E224456A013E2309A85053D96,SHA256=06CD43686600CF0E47FA50FF51ECA2C327BE2DAA047DB0CBFA82AA3ECBB6B83B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000273804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.624{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.621{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.619{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.616{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.613{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.612{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.592{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.589{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.586{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.584{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.580{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.576{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.573{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.567{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.564{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.563{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.562{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.561{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.547{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.546{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.538{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.535{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.519{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.518{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.515{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.512{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.509{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.508{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.508{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.504{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.497{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.488{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.486{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.459{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.457{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.439{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.431{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.389{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.380{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.369{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.364{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.363{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.359{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.356{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.353{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.352{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.348{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.346{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.344{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000273755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.250{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB84E92C3D72AE9F1CE16E17645EBE8,SHA256=B31D898A2D818764A75A49C900270D24C48568AE5C90FF784C7A7E20A5675A47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.878{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3FC5-6323-800F-000000007502}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.873{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.872{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.872{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.872{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.872{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3FC5-6323-800F-000000007502}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.872{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3FC5-6323-800F-000000007502}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.870{E743DC12-3FC5-6323-800F-000000007502}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.583{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF711FCD1FB3C09CA8240D3C20D5A04,SHA256=C93434FE1FF49D08005F8494924B6BF1A77137724E720FE255B673F512D40F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:49.496{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B1AA20468EE1FFD17885B4CDD63B5C,SHA256=5D8EF924635283EFAE2613A0B3D7BE42AAA9A2369F67086260BF454CDE0B9BD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.383{E743DC12-3FC5-6323-7F0F-000000007502}30364180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.199{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3FC5-6323-7F0F-000000007502}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.199{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-3FC5-6323-7F0F-000000007502}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.199{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.199{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3FC5-6323-7F0F-000000007502}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.199{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.199{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.199{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.200{E743DC12-3FC5-6323-7F0F-000000007502}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:49.354{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA1D61AC595D79D888AE381ABABDF9A,SHA256=C1DB3EF3448B4AA07EA66607142C0175E5CB3B96F66C69509F5FE6C31CC686A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:50.924{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FE172B79E6C311BE894A59F33ABCFD5A,SHA256=5CC9D0306E36E8A4E8A0D8509640EC7F27D56C076EAE84B9F76FE11447FD58D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:50.731{E743DC12-3FC6-6323-810F-000000007502}4668916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000168626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:50.700{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EBFB036B780BF2109CA6FF5AECED71A,SHA256=0BBA507FF45F0AE892AC9CC386F24E7A5030F273EB9E1DF3EB2D29A8D992AB4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:50.980{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:50.980{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:50.980{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:50.976{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:50.976{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:50.976{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:50.975{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000273809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:48.588{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65475-false10.0.1.12-8000- 23542300x8000000000000000273808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:50.506{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC105C31D1F5420A7D724E9BE28087B,SHA256=117041DAA1BFB8269BE0CCC215EBB67D65CCDC015B226C1A499F990C266A9292,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:50.531{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3FC6-6323-810F-000000007502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:50.531{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:50.531{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:50.531{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:50.531{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:50.531{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3FC6-6323-810F-000000007502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:50.531{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3FC6-6323-810F-000000007502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:50.532{E743DC12-3FC6-6323-810F-000000007502}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:51.861{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:51.861{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:51.619{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238F308283C3FB9D3EB06CDECAAE3FAC,SHA256=A48C6F7880FC86251CA0C66B06B30DB30D32B56A1EF8288B997A3AB744B5DC35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.876{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3FC7-6323-830F-000000007502}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.876{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.876{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.876{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.876{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.876{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-3FC7-6323-830F-000000007502}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.876{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3FC7-6323-830F-000000007502}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.877{E743DC12-3FC7-6323-830F-000000007502}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.799{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C191C49475678251D38B6AC372DC8E34,SHA256=33CC3ABAD1325C3E3135E8652CB8E52FBEDE5B088633FF1DAAF74EDD49FAB8B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.361{E743DC12-3FC7-6323-820F-000000007502}33923488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.199{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3FC7-6323-820F-000000007502}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.199{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.199{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.199{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.199{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.199{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-3FC7-6323-820F-000000007502}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.199{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3FC7-6323-820F-000000007502}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:51.200{E743DC12-3FC7-6323-820F-000000007502}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:52.829{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B55ED0D727885D5232005B10C38219,SHA256=136EFE51B43C2A23BD5760ECF9B36E90888498027D9BE0BDACADF71385CB0011,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:52.785{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:52.785{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:52.729{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0401597ACDE2B74A3EC5E4A16A19CC,SHA256=4333625C5E3D19527CCD3F9BF058088F810D0B186F34E6AFF86DACBDD071CB52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000273821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:52.522{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:52.522{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000168654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:49.029{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55344-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000168653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:52.091{E743DC12-3FC7-6323-830F-000000007502}50965380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:52.031{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3FC7-6323-830F-000000007502}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000168651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:52.031{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3FC7-6323-830F-000000007502}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000168650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:52.031{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3FC7-6323-830F-000000007502}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000168649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:52.031{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3FC7-6323-830F-000000007502}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000168648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:52.031{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3FC7-6323-830F-000000007502}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000168647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:52.030{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3FC7-6323-830F-000000007502}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 23542300x8000000000000000168656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:53.949{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A4F83C800CFE1C31CFDAF415748328,SHA256=F7049C2E47C813F0F22AFF8298A60A5C7395A604B6A0336CCC1F392B330FDB59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:53.943{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE46BBFBC7588A033169E0FAE0359CD6,SHA256=AFFA3D32940687DE1FDD275CCB53A534E5804125AEA1F344DD476BDF9E14422A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:53.558{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=98DD15532F348E6DAB23986573697F96,SHA256=C3BB69E42623BC8C9557867AFDFFB0E3A0245ED9F6AFAA0529AEC52C415369F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:54.997{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-442MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:54.951{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE9FD4154E40C8FA1C0961BDA7D9B1C,SHA256=67495664E47165E9A0CDE40F5F326675B58137FEDB3ABE724C60A7890234A9F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:55.049{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8050B45D6664E19DF0F5276613E6177D,SHA256=26BE595758CE5E169C6A32B968EDE53F0D700C58B6B65DD9BABE06DAD7221A48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:55.063{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:55.063{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000273831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:54.511{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65476-false10.0.1.12-8000- 23542300x8000000000000000273830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:56.158{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7696D5D43064E3E665A07EE2C2129949,SHA256=5345106D99296883297C8894B2186666380D47C0443E00B170F129E4E553F7EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:56.041{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46FB94BF820CF86C1CE9B2189453556,SHA256=264223D74DEFB19D33BA739159894CB65378B4F4092AE7E9611B9810F1ADB3D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:56.002{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-443MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:57.268{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E15B0954E8D26351827F10A73C2D35E,SHA256=D185FE00B3421747CBDB400FDED134F3331F09499313BEEBB06AECA20FEBC840,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:57.997{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:57.988{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:57.979{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:57.968{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:57.964{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 354300x8000000000000000168662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:54.045{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55345-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:57.018{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933162B5B92C094E8E618B58267B62D3,SHA256=2A0830A6595CCEC6E5C9813A37B52FA993B7FBEBBE9BAB99494662F91C72D0BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:58.279{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D778975E960B4A66D20910E74AC4ECFE,SHA256=75E72976A05ADADAAE11C16AB04235BE8446627EEB81BBD576C0535788B63B3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.304{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.301{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.299{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.296{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.294{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.278{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.277{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.277{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.274{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.270{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.267{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.263{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.254{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.252{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.232{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.216{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.206{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.180{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.172{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.160{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.154{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.153{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.151{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.148{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.147{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.143{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.140{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.139{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.136{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.135{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.133{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.131{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.123{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.120{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.117{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.106{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.104{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000168676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.092{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186B4DA2CC5E4DE96301103B01B1D892,SHA256=662BDAA541B8194EFBA230E7BF2FA0121628321FC597D803DB1FBDF55974F856,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.089{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.079{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.050{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.043{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.035{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.027{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.011{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000168668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:58.001{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000168714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:59.354{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB56E8D3CFE236428AC443083113B54,SHA256=407D2EA89CA2C3632DC06E684181393023627E0717E7842D189849B1EBCB2C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:59.390{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94991ECEC74A1C091AB58E74B721768,SHA256=4668B8149ACC7ACCFBD24C6DE1D223111859B3167713412AC9277516AC7B17F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:00.454{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776CF5D88C1869F6E956DF08061DED92,SHA256=8A3D97BE6EC9C1D6AB97894F835EC622686A670E4883391F53795DFAC59EE8EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:00.401{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86D8BE83DB32A301E1EA734BE60B580,SHA256=FA3840EFD1C325595445F7772478ED6A75BB04EE6F00CF9851CB669877C6CF03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:01.603{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB242BF6C120B935E463467D77DEC9C2,SHA256=5E1CEE0B227964A858DD5E4E8038B00095D726BC47971A6D43A2138AB865FD93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:07:59.578{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65477-false10.0.1.12-8000- 23542300x8000000000000000273836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:01.412{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F2EB6875632B097C06FC70AFD4DDD1,SHA256=46B5F06AF30C164BC841484C130ADDCB3F9E2850D29CFD9A4827732ED4B4C259,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:02.751{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236F51033C024A2CFFB2A80C332E1E72,SHA256=456A517073D36CEA27F722FA9933A74D4FDA9A0897407C81209B2D73C2C7C4B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:02.421{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2777D122E90D84724E8A6CDB2B121B01,SHA256=803A8D52237893BCD07D21074C0A0B85C5F7E00628E3EF7C80E97E5B3B10A9F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:03.886{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3EF2BBF7AD8D7DBB00D46E5F22748B,SHA256=ADE0B30C9C039CE1E0B8A1446AA971D8CD078C59C3E008C5B36D5E73E2054879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:03.430{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F008F0B2A6B8B5DC54B92B018EF0BE9,SHA256=1DDC2193356D2186BFAEA8AE0985BF26464EC1BB0C977249574A3B09D1FF136C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:07:59.964{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55346-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000273843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:02.725{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65478-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000273842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:02.725{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65478-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000273841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:04.438{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0DC83CB8104966A51FABB86A649015,SHA256=A0375A0F3AB1E71B6E358F1A42A0AAD34BC36BC1BBBE99B05B8073EACAFC9D7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:04.330{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DF23B91BDF2F850BD7B2E10E490C9D5,SHA256=3C530CFE8B8D1332B1707BC6C8989783FA73A13FD6A4E048875F94E9B8AD1C4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000273867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.753{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.752{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000273865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.457{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=343712298B4D84DA9487D0CF3D76D4EE,SHA256=A989E62238A0C9CEE623C13AD571F5BE85FF4F48D9E68D0EDF0C5A366EDA7F3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:05.017{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8839DD0898BF570437C38E481ABE80CA,SHA256=DAA7D5E7870B8975A4CC843AC758968FC9EC87701F9D3E5DF1C3338571B93E79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.331{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.325{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.317{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.314{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.302{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.298{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.295{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.290{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.284{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.257{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.236{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.228{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.216{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.205{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.190{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.174{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.166{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.152{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.140{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.071{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.069{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000273868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:06.764{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9114CB6643B589BC19A582982B8EC6DA,SHA256=64754D86AD3364411BE35D939D9CC07EC9B6D2C6C810A0AA24646AFBE07E671C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:06.294{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000168723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:06.294{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000168722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:06.294{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1a0269b.TMPMD5=39D11997735CDFDAB7051AB86B8F82E9,SHA256=34F34B56FDEF9CE630B3344FE748DFBC186169F1CA2CC69FB9A6920D5DE026AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:06.049{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34555E97B828D41A7C8CFE523DFD09A,SHA256=F312BFE8D5DE0D3BECB24145F6319E3E204B1226F0688E017D165E7E3D56CC37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:05.478{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65479-false10.0.1.12-8000- 23542300x8000000000000000273873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:07.770{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA00E34F6D8DF120C207E9BA4FE7403,SHA256=87A5175B88A0D83F17491E7D9D11E6EDFCCE5A3CD04CF35BB3DF348DBD224368,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000273872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:07.765{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000168725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:07.178{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548F89F796FA27BEDAE2FFBD54E3B443,SHA256=47E7A6965E78C228F5B4E0372D096C0AAEBEBF4F23B59C0ACC8781DEE63F0EC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:07.763{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:07.758{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:07.756{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 354300x8000000000000000168727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:05.876{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55347-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:08.217{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01228A5F640B1A40C9DF0CFBE0BCB497,SHA256=18310290FBFAF5373FB575CCA4658CC81AC82C8FBABB7DE6675B1FA1A9E15658,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.663{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.658{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.654{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.648{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.646{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.645{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.605{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.600{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.595{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.593{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.585{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.580{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.575{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.571{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.568{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.567{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.567{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.566{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.539{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.538{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.530{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.527{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.513{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.513{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.508{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.503{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.496{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.495{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.488{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.485{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.480{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.470{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.468{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.430{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.428{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.407{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.395{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.331{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.316{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.299{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.291{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.290{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.287{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.282{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.279{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.278{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.274{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.272{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000273875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:08.269{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000168728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:09.315{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7956E33C3DED0B53A176575F4289227D,SHA256=6FDA2B1CF47B9B23252E53780746E84C013B4A222CCE450BA07E77D7D1D095C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000273931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:07.798{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal49606- 354300x8000000000000000273930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:07.797{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal62561- 354300x8000000000000000273929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:07.793{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal56051- 10341000x8000000000000000273928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:09.180{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:09.179{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:09.179{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:09.056{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF3E8C2E9A98770E93FF1F9E420E343,SHA256=3A36AAABE509407358E9545A043A1BE002EB1A6E6EAF600910256A6E5A6F042A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:09.054{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=868008B66EEF9A5FD75D219E70053BEA,SHA256=3842818F1F27C5E86014A16933673A9A31E06825143812A19C4EFBE7694F7404,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:07.181{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55348-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 23542300x8000000000000000168729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:10.348{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEBF6A8133A42F62DC691FDA22102676,SHA256=39B74EF86AA18B7EDE5185DA291927725E71981BB03C0E8B033948EECF90E87F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:10.064{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601C73F3D683758503A97A67EA0D7DC5,SHA256=EF2FA65FF90F0404A501E5A0685CB013AC195D28EE969C6FD125BE700A758649,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:11.477{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52A4B25A96F52413703FDA753B4077B,SHA256=C7B3A0418F5C7C91F5F0626C7FD02234F97DE88070F5A50A0F6D89CD6883350A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:11.709{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:11.709{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:11.709{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:11.651{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:11.651{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:11.171{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E9B7184706BD13EF2AA363EBC0CC45,SHA256=ADEDEBA66BE565448E93BF171CBF3576ADACAB30966DA29EE224CD51A7F42264,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:12.600{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CFF1A65069254D9581C53C6F317854,SHA256=E701A57575A72D96FC814EF0D3892E0E463980CE74B4F075173C0E6965F5D961,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:12.902{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:12.902{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:12.901{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000273945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:10.504{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65480-false10.0.1.12-8000- 10341000x8000000000000000273944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:12.814{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:12.814{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:12.801{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:12.800{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:12.800{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:12.386{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769E6F9CE146DEF90CD0ABE4F5D48D0C,SHA256=AFAC873BDEB3D654BC45E306C1D2247D74651C76425BF54678A288233CF423F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:11.091{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55349-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:13.716{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DCA329C761D4B90AB3D0933A2AC19A,SHA256=572A79F64C110DF27C377569BFFA377BE3A8C35C63137A5A954444ED8D591031,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:13.960{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:13.960{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:13.960{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:13.916{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:13.916{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:13.558{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-452MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:13.401{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2444822C4EE4B216B178C7D3FC6AF93A,SHA256=486777A70EFF0AD427BC02FFEC9299861955C0FCF40E8830D8D0D3E84CFE9689,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000273951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:13.057{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:13.056{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:13.056{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000168735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:14.849{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54C9ED10A92329A7445342D8C123B90,SHA256=08C1188373D0A26824D5DF4376E5675F69977C99E3F22F4D1A62C52F620B3007,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000274030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.999{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.996{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Globalization SupportMicrosoft® .NET FrameworkMicrosoft Corporationculture.dllMD5=22E9113EA0D1D8252314F23BAD16DD36,SHA256=A731E05FCFCE0B9FCF449DFB589A49C09FC63593D61676F5EE3977CBD47C64A9,IMPHASH=104E17C81D918D1C093DA532DC4F4DBEtrueMicrosoft CorporationValid 734700x8000000000000000274028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.995{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.995{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.992{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x8000000000000000274025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.992{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x8000000000000000274024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.991{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x8000000000000000274023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.990{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B05DBB473918152F51A7F5A10FE250C7,SHA256=85EA95E8D8B1123288E84E5DC8502584288D67B2C692B118411F37774479498B,IMPHASH=A7A8E1C7D8A348EDDDA81702A2FEC068trueMicrosoft WindowsValid 734700x8000000000000000274022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.989{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x8000000000000000274021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.988{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=65BF71AD92E68AC9BCDFA13C5FF0959D,SHA256=14FDD181EF550EAE500F4B617877BD2DC04827704704A56DCF30446AEEA2882A,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 10341000x8000000000000000274020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.979{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(0000000001140472)|UNKNOWN(000000000844DDC1)|UNKNOWN(000000000844E42A)|UNKNOWN(00000000132F5640)|UNKNOWN(00000000009B6AC8)|UNKNOWN(00000000009B68B6)|UNKNOWN(000000001301BB1E)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE) 10341000x8000000000000000274019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.979{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(00000000011234C4)|UNKNOWN(00000000011233F4)|UNKNOWN(00000000011233CB)|UNKNOWN(00000000009B6AC8)|UNKNOWN(00000000009B68B6)|UNKNOWN(000000001301BB1E)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08) 10341000x8000000000000000274018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.978{6820D070-27DD-6323-F614-000000007402}65044588C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000001301360A)|UNKNOWN(000000001AAAFDB2)|UNKNOWN(000000000343334C)|UNKNOWN(000000001AB3F017)|UNKNOWN(000000001AFF8399)|UNKNOWN(000000001AFF81F1)|UNKNOWN(000000001AFF81A9)|UNKNOWN(000000001AFF804A)|UNKNOWN(000000001AFF7EA6)|UNKNOWN(000000001AFF7CBB)|UNKNOWN(000000001AFF7B64)|UNKNOWN(000000001AFF7577)|UNKNOWN(000000001AB6832F) 10341000x8000000000000000274017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.974{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(0000000001140472)|UNKNOWN(000000000844DDC1)|UNKNOWN(000000000844E42A)|UNKNOWN(000000001301C500)|UNKNOWN(00000000009B4B8E)|UNKNOWN(000000001301BA6A)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08) 10341000x8000000000000000274016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.973{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(00000000011234C4)|UNKNOWN(00000000011233F4)|UNKNOWN(00000000011233CB)|UNKNOWN(00000000009B4B8E)|UNKNOWN(000000001301BA6A)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 10341000x8000000000000000274015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.973{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000001301C1EA)|UNKNOWN(00000000009B4C5C)|UNKNOWN(00000000009B4B6D)|UNKNOWN(000000001301BA6A)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64) 10341000x8000000000000000274014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.973{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(0000000001140472)|UNKNOWN(000000000844DDC1)|UNKNOWN(00000000009B359E)|UNKNOWN(00000000009B2AC8)|UNKNOWN(00000000009B2566)|UNKNOWN(000000001301213F)|UNKNOWN(00000000009B1F77)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 10341000x8000000000000000274013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.971{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(00000000011234C4)|UNKNOWN(00000000011233F4)|UNKNOWN(00000000011233CB)|UNKNOWN(00000000009B2566)|UNKNOWN(000000001301213F)|UNKNOWN(00000000009B1F77)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 10341000x8000000000000000274012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.970{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000001301360A)|UNKNOWN(00000000009B2520)|UNKNOWN(000000001301213F)|UNKNOWN(00000000009B1F77)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+4660a(wow64) 10341000x8000000000000000274011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.970{6820D070-27DD-6323-F614-000000007402}65047400C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(0000000013010C9F)|UNKNOWN(00000000034BE48C)|UNKNOWN(000000000354671F)|UNKNOWN(00000000009E816D)|UNKNOWN(000000000D7DD087)|UNKNOWN(0000000003542CCE)|UNKNOWN(000000000D7D69E5)|UNKNOWN(000000000333A6E5)|UNKNOWN(000000000333A62A)|UNKNOWN(000000001AFF804A)|UNKNOWN(00000000035B45C5)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+4660a(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+900db(wow64) 10341000x8000000000000000274010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.965{6820D070-27DD-6323-F614-000000007402}65041996C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64) 10341000x8000000000000000274009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.965{6820D070-27DD-6323-F614-000000007402}65041996C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000274008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.965{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET External Data Access SupportMicrosoft® .NET FrameworkMicrosoft Corporationcordacwks.dllMD5=0ACFE06D73EFBCAFACF72A22F7D79E91,SHA256=525591629E48EC84FE78DBC621AE91536E7039B50593B60AD6B3801B1F91EB5A,IMPHASH=F0FBF635B7EFD828980AA6937580AF82trueMicrosoft CorporationValid 10341000x8000000000000000274007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.963{6820D070-27DD-6323-F614-000000007402}65041996C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000274006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.963{6820D070-27DD-6323-F614-000000007402}65041996C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000274005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.961{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_d08e1538442a243e\msvcr80.dll8.00.50727.9268Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMSVCR80.DLLMD5=26A95438C2D0E0C41B73D19400F4C2DB,SHA256=CC97DCB66E3150CD14294D21AD0E10C7472DF45CAF37E49675A70ED406882BE2,IMPHASH=7FECBC4A16A5DC85A5394A1DF6217680trueMicrosoft WindowsValid 734700x8000000000000000274004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.960{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationmscorwks.dllMD5=25CEE067AED86FF988C8D31BD7212A21,SHA256=3E0987EFC92F4BCD2798934A70BBEDCADB37899B4F6225279F3685A0DB5BB2F8,IMPHASH=C8D17502D1A38C77CC8770F7291FD333trueMicrosoft CorporationValid 734700x8000000000000000274003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.959{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9,IMPHASH=313B85F092EA5CD18DD8311E8921D208trueMicrosoft WindowsValid 734700x8000000000000000274002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.958{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x8000000000000000274001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.956{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x8000000000000000274000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.955{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62A,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x8000000000000000273999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.955{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x8000000000000000273998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.954{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=8B516F883167509677B58B9984D8EEA2,SHA256=47F9B88E4038517FC8C5FEB3AC04B21A885EE505143952C96A23FE851869A90E,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x8000000000000000273997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.953{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x8000000000000000273996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.953{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x8000000000000000273995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.953{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=9629C30BA0F10D72FD189FCA987B0E29,SHA256=4DDAF3BB8CE239A8AD41F333AE7D2AD6B7763B9ED8B862695B67F60E5ADE031C,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x8000000000000000273994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.952{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6CE01AB1C2063B171AD7432B130FEBBD,SHA256=F554E9818C54F6C760C6E53BAEABCA3F5CAD683C028460307F3D93C7A8B06F02,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x8000000000000000273993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.951{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120,IMPHASH=25F1E57C7A6ED06AAF329CB7B168FA29trueMicrosoft CorporationValid 734700x8000000000000000273992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.949{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x8000000000000000273991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.949{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x8000000000000000273990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.948{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=1B90C58145F4B3C0743C470793469AD6,SHA256=21D752964E10DBB4DFC589856AA808D31E301B93C9E5FF6D1655D32FBD00AF44,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x8000000000000000273989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.948{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=C6EE0DB29435BF41835FFA96EB2F14C5,SHA256=CAF9E05D47F84728986E1BF563B3B87FAF3522F4E0CC4FD95694F418C307AD92,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 734700x8000000000000000273988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.948{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x8000000000000000273987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.948{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x8000000000000000273986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.947{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7,IMPHASH=8B861EA72FDD6FC722328B2746B13380trueMicrosoft WindowsValid 734700x8000000000000000273985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.942{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Temp\agent_tesla-deob.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exeMD5=76913CA0C8C7072D6018B5A725E6154C,SHA256=0FDAF674EE8FC56A7F08E48FF865DF72B1AD3FDEF2D7AEB0EA8EA8DA9DAF313C,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 734700x8000000000000000273984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.946{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=25ADC994F9AF8716E35487995DDB45CE,SHA256=47B573E7708AAA00F2BE6E8EB7F3CB1B4817E65FACBBB1D772970A8F710DAF61,IMPHASH=6E1D0A92C1917EFBFC1EEA82FA5E155FtrueMicrosoft WindowsValid 734700x8000000000000000273983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.946{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000273982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.946{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77,IMPHASH=900F88A34CE398C54C9022F5335E8EA9trueMicrosoft WindowsValid 734700x8000000000000000273981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.945{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x8000000000000000273980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.945{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000273979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.944{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000273978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.944{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000273977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.944{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000273976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.943{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x8000000000000000273975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.943{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x8000000000000000273974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.942{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=B04953E4C38042AD2628FA49AB42AB5C,SHA256=7B2B4662D3EE0D6DD673C0FEEE4B28E2E16ABF534DF3076497C6B6B40E8BE9C1,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000273973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.942{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000273972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.941{6820D070-27DD-6323-F614-000000007402}6504356C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+f6f0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+eb46(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a9a1(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000273971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.940{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.940{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.940{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.940{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.940{6820D070-DD00-6322-5E06-000000007402}34206236C:\Windows\system32\csrss.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.939{6820D070-27DD-6323-F614-000000007402}6504356C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9328(wow64)|C:\Windows\System32\KERNELBASE.dll+d800c(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a871(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a937(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000273965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.937{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exe"C:\Temp\agent_tesla-deob.exe"C:\Temp\ATTACKRANGE\Administrator{6820D070-DD02-6322-1C5A-600000000000}0x605a1c2HighMD5=76913CA0C8C7072D6018B5A725E6154C,SHA256=0FDAF674EE8FC56A7F08E48FF865DF72B1AD3FDEF2D7AEB0EA8EA8DA9DAF313C,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000273964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.937{6820D070-D2F0-6322-1200-000000007402}965740C:\Windows\System32\svchost.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.932{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.931{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.931{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.556{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-453MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000273959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:14.513{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8261985F3C770A6253848CEC855D915F,SHA256=E60AE7AED5855D97929C6BF645652AB09C1E4C681ACDF04AAA0B41E01826C3C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:15.934{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FD44D5363AC6D394F1EB44572A865C,SHA256=9D36E31B71622131EAF9AEE5A0E017F08F6FA2EFB0E996DD14FD22A222FDB8FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.867{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=65A9F00755ECF40875A46BF12738313D,SHA256=0149D13215EE09E596386687679F73854D625E78160BD22081A0E01C21A6481C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000274082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.836{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000274081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.836{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000274080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.836{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000274079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.835{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000274078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.835{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000274077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.835{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000274076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.807{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.807{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.562{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CAB1D8F11516B4A808A99368E87E4A,SHA256=7CF80AF88E43C228FC0D8F8D0412400E9A2D9EE889496A81CE32B0692F79B591,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.439{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE82AEF01DC947AF469E50EE6459BCA,SHA256=320929AB72ED1BC06FA2933BF0FD990369AE0869997E4E51EB889E2919F68C09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000274072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.406{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\perfos.dll10.0.14393.0 (rs1_release.160715-1616)Windows System Performance Objects DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPERFOS.DLLMD5=6192765AF80C0519F8CD3DDD5166AD95,SHA256=090E8B864CE45332A704E812071D2F3B2ED3B16ED73D82C2BCF8CCEF7EC44D43,IMPHASH=D0398FD9E38AEDDF3DBB865B5500E960trueMicrosoft WindowsValid 10341000x8000000000000000274071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.365{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017AB1B4B)|UNKNOWN(00000000011294EF)|UNKNOWN(0000000001129496)|UNKNOWN(00000000011293EA)|UNKNOWN(0000000001129313)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64) 734700x8000000000000000274070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.359{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll2.0.50727.8745 (WinRel.050727-8700)WMINet_Utils.dllMicrosoft® .NET FrameworkMicrosoft CorporationWMINet_Utils.dllMD5=FE3A877218F498F90DD1D097FB770BFA,SHA256=7B7AB5348E3143DB00D0FCE36E5A75867046B5C60FC52DC9E0A166CA2FDF714E,IMPHASH=422758B458E7A457D744549F961156CCtrueMicrosoft CorporationValid 734700x8000000000000000274069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.282{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.281{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.281{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.259{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000274065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.259{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000274064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.258{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000274063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.245{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.5246 (rs1_release.220701-1744)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=2A16D108FE99577ABCC08B92F2765971,SHA256=AF5268F39CE35FA3215E8162A0BF4C1949D0F5FB7A284953362ED23507C5697F,IMPHASH=36E120EA05F8714D20693A7DA02D7326trueMicrosoft WindowsValid 734700x8000000000000000274062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.242{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000274061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.240{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000274060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.237{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000274059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.236{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000274058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.234{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2F,IMPHASH=844732D10340F10C1E97778BA10CF30EtrueMicrosoft WindowsValid 734700x8000000000000000274057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.234{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000274056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.230{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x8000000000000000274055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.230{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x8000000000000000274054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.230{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 734700x8000000000000000274053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.228{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9,IMPHASH=CAC6B3339C5CAA083E24A4484EE86E29trueMicrosoft WindowsValid 10341000x8000000000000000274052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.226{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.222{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587B,IMPHASH=34AF29CE553D01A9CE643682A40D7CB5trueMicrosoft WindowsValid 734700x8000000000000000274050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.222{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040C,IMPHASH=789B4484C292CAC32E0806DEE3E8734AtrueMicrosoft WindowsValid 734700x8000000000000000274049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.220{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6D,IMPHASH=61592743BFAEF2F12950E5420FA2AEB1trueMicrosoft WindowsValid 23542300x8000000000000000274048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.175{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6D9B1A66B43631CC85AE3C55E80DCB,SHA256=F7CCC7273CE2A58009428C07680C6F9B32E47A80DFF5F4578B4E3E19EBAD0804,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000274047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.131{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.124{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.123{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.123{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.116{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.112{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.111{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.107{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.104{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.103{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.098{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll8.0.50727.8745 (WinRel.050727-8700)Dia based SymReaderMicrosoft® Visual Studio® 2005Microsoft Corporationdiasymreader.dllMD5=7D6A7AD508368F8A41E19A593BF8152A,SHA256=9385717A62043C46A22A99893139475ACB44C0096DDE9954C9BDED721F4581A2,IMPHASH=E2ADD10FCF5C120524D6149FB9E129DEtrueMicrosoft CorporationValid 734700x8000000000000000274036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.021{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationmscorjit.dllMD5=942A0FD4301180517656DF2D7DF45574,SHA256=B9648A085BD060F253D28351E5FED798CE5893B69FA4E221D44C99F460D05936,IMPHASH=458AE5B7483D2B3344CEEB01EB67E386trueMicrosoft CorporationValid 10341000x8000000000000000274035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.019{6820D070-D2F0-6322-1500-000000007402}12525116C:\Windows\system32\svchost.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.019{6820D070-D2F0-6322-1500-000000007402}12521316C:\Windows\system32\svchost.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.019{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x8000000000000000274032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.017{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=33842D2EF1AFD0E94F73E24E55724418,SHA256=EBD2C419EB5B75270E1CC6F80FABD899C8F7B787F742CF3B0F608BB807197DF1,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 10341000x8000000000000000274031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.003{6820D070-27DD-6323-F614-000000007402}65047400C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000001335D74A)|UNKNOWN(00000000009BA9C6)|UNKNOWN(00000000009BA6D5)|UNKNOWN(00000000009BA13B)|UNKNOWN(00000000009BA0BD)|UNKNOWN(00000000034BE579)|UNKNOWN(000000000354671F)|UNKNOWN(00000000009E816D)|UNKNOWN(000000000D7DD087)|UNKNOWN(0000000003542CCE)|UNKNOWN(000000000D7D69E5)|UNKNOWN(000000000333A6E5)|UNKNOWN(000000000333A62A)|UNKNOWN(000000001AFF804A) 23542300x8000000000000000168737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:16.980{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DB70013C4E8C5D14A5892BECFC0CA9,SHA256=179CF1107A6012FB91A18F30D0C779E10861A07BA0E672D7671FCA415A35A2CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:16.678{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4C78985A4F9E04470E61B18E96BFD4,SHA256=9FF9A84AAE2F032DE991845002DEDB546ADCCC54413CF615D587A03B85FDD69A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000274093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:16.584{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\WinTypes.dll10.0.14393.5192 (rs1_release.220610-1622)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=C3EAC9E7B604696B078D4275571F58EC,SHA256=8A1F5F88F70C1BD511AE7D0E03D6ABAE1778D59D10041D17B562FE9190559A0A,IMPHASH=E5E8B16505186AC32311EE602EA3C845trueMicrosoft WindowsValid 734700x8000000000000000274092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:16.583{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\vaultcli.dll10.0.14393.5066 (rs1_release.220401-1841)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=0F9CC4F83FDD30CA09546038D0C1500F,SHA256=754954935A1BB01C0695252B16EDF251F7FF2D66BFB00450CF038D0AA079B844,IMPHASH=8721D7F174531C1C4F8942462C87C899trueMicrosoft WindowsValid 734700x8000000000000000274091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:16.557{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:16.556{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:16.555{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:16.460{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shfolder.dll10.0.14393.0 (rs1_release.160715-1616)Shell Folder ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationshfolder.dllMD5=83D8A4E04F99C5FD749D34CC4B970A0E,SHA256=0924F96973B3CE4F15BB7947E6C593B3EA1015E459BF70C3A247A31632EF2ACA,IMPHASH=A262E121DDB8823B3F2D530403B9D7E9trueMicrosoft WindowsValid 10341000x8000000000000000274087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:16.444{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:16.444{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:16.418{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017AB1B4B)|UNKNOWN(00000000011294EF)|UNKNOWN(0000000001129496)|UNKNOWN(00000000011293EA)|UNKNOWN(0000000001129313)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64) 23542300x8000000000000000274084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:16.032{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E95BEEB18F97D66D4E4779474AA209E,SHA256=89C32ED20AB6F3E28F9E9DAA1142AC3BC0817654B32D8D549E53858403FF71A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:17.997{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x8000000000000000274096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:17.999{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:17.688{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB462438BD2F7852165F26E48A2AE09,SHA256=63033BFC20E32B780EE813EC442D7AD1CBA8A9EBC2A8EF5A461A6CD4C0913846,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:17.985{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:17.982{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000274199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.983{6820D070-3FE2-6323-6918-000000007402}38127296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.982{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000274197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.981{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000274196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:15.531{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65481-false10.0.1.12-8000- 734700x8000000000000000274195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.816{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000274194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.816{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000274193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.815{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000274192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.815{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000274191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.813{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000274190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.813{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000274189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.812{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000274188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.812{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000274187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.811{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000274186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.805{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000274185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.805{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000274184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.805{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000274183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.805{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000274182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.805{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000274181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.805{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000274180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.804{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000274179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.804{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000274178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.804{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000274177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.804{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000274176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.804{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000274175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.804{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000274174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.803{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000274173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.803{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000274172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.803{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000274171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.802{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000274170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.802{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000274169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.802{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000274168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.801{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000274167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.801{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000274166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.801{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000274165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.801{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000274164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.800{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000274163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.800{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000274162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.800{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000274161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.799{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.799{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000274159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.798{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.798{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000274157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.798{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000274156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.797{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000274155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.797{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.797{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000274153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.797{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.796{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.796{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.796{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.796{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.794{6820D070-3FE2-6323-6918-000000007402}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000168788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.331{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.328{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.325{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.322{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.321{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.307{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.306{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.306{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.303{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.295{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.290{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.287{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.279{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.276{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.252{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.233{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.220{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.198{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.192{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.183{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.178{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.176{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.174{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.171{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.170{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.166{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.164{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.162{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.159{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.157{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.155{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.153{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.148{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.146{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.142{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.134{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.131{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.120{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.112{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.090{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.081{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.071{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.062{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.046{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x8000000000000000168744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.040{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A078BA7D5344032DF2C6B9F605E7AEB6,SHA256=DD0DE1A3B89CA7364B9102E4A272DECE3A4517DA131F2CD7DA10C454243FD14F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.039{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.032{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:18.015{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 734700x8000000000000000274147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.317{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000274146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.316{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000274145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.315{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000274144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.152{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000274143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.151{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000274142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.151{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000274141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.150{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000274140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.149{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000274139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.148{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000274138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.148{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000274137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.142{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000274136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.142{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000274135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.141{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000274134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.141{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000274133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.141{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000274132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.141{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000274131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.141{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000274130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.140{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000274129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.140{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000274128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.140{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000274127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.140{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000274126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.140{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000274125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.140{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000274124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.139{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000274123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.139{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000274122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.139{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000274121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.139{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000274120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.139{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000274119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.139{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000274118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.139{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000274117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.139{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000274116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.138{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000274115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.138{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000274114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.137{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000274113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.137{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000274112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.137{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000274111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.136{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000274110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.136{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.136{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000274108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.135{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.134{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000274106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.134{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000274105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.133{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.133{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000274103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.132{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.132{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.132{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.131{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.131{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.131{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:18.129{6820D070-3FE2-6323-6818-000000007402}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:19.450{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA3345D98A08C5BEEC67330018A3E94,SHA256=D259BC1ADB286D8BB33B618D650CF5D57DF36318A32DD1BE1E522886E4F5194C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000274286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.998{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000274285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.998{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000274284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.997{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000274283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.997{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000274282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.997{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000274281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.997{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000274280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.997{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000274279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.997{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000274278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.996{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000274277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.996{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000274276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.996{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000274275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.996{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000274274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.996{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000274273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.995{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000274272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.995{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000274271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.988{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.987{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000274269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.987{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000274268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.986{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.986{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000274266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.985{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.985{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.985{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.985{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.984{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.984{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.983{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.971{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD4D732F496AAEFB34A3C6517642732,SHA256=04FB518EC694BF470FCC45B6CD06132F4B8939E8005ECA9CA461D80BCB715626,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000274258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:17.456{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65482-false10.0.1.12-8089- 734700x8000000000000000274257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.734{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000274256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.733{6820D070-3FE3-6323-6A18-000000007402}18325520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.732{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000274254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.731{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000274253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.710{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D7845B1C7AA58DD192EA1670D628ED,SHA256=19DFEE8377ACA1904AFA2CFA7E6E58E4AFE72B35988F8C9B317229B57D9278AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000274252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.496{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000274251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.495{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000274250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.495{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000274249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.494{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000274248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.492{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000274247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.492{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000274246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.492{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000274245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.491{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000274244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.486{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000274243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.485{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000274242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.485{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000274241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.485{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000274240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.485{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000274239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.484{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000274238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.484{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000274237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.484{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000274236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.484{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000274235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.484{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000274234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.484{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000274233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.484{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000274232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.484{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000274231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.484{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000274230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.483{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.483{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000274228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.483{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000274227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.483{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000274226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.483{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000274225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.483{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000274224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.482{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000274223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.482{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000274222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.482{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000274221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.482{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000274220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.482{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000274219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.482{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000274218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.482{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000274217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.481{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.480{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000274215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.480{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000274214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.479{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.479{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000274212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.479{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.479{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.478{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.478{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.478{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.478{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.476{6820D070-3FE3-6323-6A18-000000007402}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.236{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017AB1B4B)|UNKNOWN(00000000011294EF)|UNKNOWN(0000000001129496)|UNKNOWN(00000000011293EA)|UNKNOWN(0000000001129313)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64) 10341000x8000000000000000274204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.212{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.204{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000274202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.203{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\security.dll10.0.14393.0 (rs1_release.160715-1616)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=0C05DA5BB5C6841C6290F64CA34F1CBD,SHA256=9C48F8D23D42C3CAF06938C2B8AAFCB51E4BE879BA21578FDD9B9D6635F1C0D8,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000274201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.197{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017AB1B4B)|UNKNOWN(00000000011294EF)|UNKNOWN(0000000001129496)|UNKNOWN(00000000011293EA)|UNKNOWN(0000000001129313)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64) 23542300x8000000000000000274200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.184{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDF9A03BEED2E1194F72CC15ABB1DE9,SHA256=42C2093F7E56CC3FF228A44D52B320516F2F7A5D467C7D6CB5DC372D51ED603F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.910{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0BB7759F68A75C9199D5FB667BE89F,SHA256=A07C58C8A894C17ACD2B03C5F2E09226C091594B4BF1B88BC9C9306C0E745E50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.898{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341A654485D440B7A29AC37BD2162A8A,SHA256=F8A097195467B6A7B82CB3DEB58E0DC658DC20FD9CA53C19FB0AB9527D5A625E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:20.509{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2786ECFC752EA1764F121F21B80E1DCF,SHA256=3D77BD5F3EC82F3440FD492BD8C2D60A9563F39F33906B402473EF7EC979FC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.783{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=4C9241BD4E387B2B9E58E3A49E8C8EB4,SHA256=C2945FC33F4DD2028059BEF970D64D2EDAC03D4FD40EBC6DA23A2E0A10DFED74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000274380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.716{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000274379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.715{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000274378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.714{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000274377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.529{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000274376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.529{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000274375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.528{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000274374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.527{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000274373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.526{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94,IMPHASH=58B9E3FB550C715872D0FDCF7F80C373trueMicrosoft WindowsValid 734700x8000000000000000274372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.526{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000274371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.526{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000274370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.525{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6A,IMPHASH=C910DDFE30DC1006ADAE67F73F17158EtrueMicrosoft WindowsValid 734700x8000000000000000274369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.525{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000274368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.525{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000274367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.518{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000274366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.518{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000274365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.518{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000274364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.517{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000274363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.517{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000274362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.517{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000274361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.517{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000274360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.517{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000274359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.517{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000274358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.516{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000274357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.516{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000274356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.516{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000274355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.516{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000274354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.516{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000274353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.516{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000274352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.515{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000274351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.515{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000274350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.515{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000274349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.515{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000274348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.515{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.515{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000274346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.515{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000274345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.515{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000274344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.515{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000274343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.514{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000274342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.514{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000274341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.514{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000274340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.514{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000274339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.514{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000274338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.513{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000274337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.513{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000274336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.513{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000274335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.512{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.511{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000274333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.511{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000274332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.510{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.510{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000274330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.510{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.510{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.509{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.509{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.509{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.508{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.507{6820D070-3FE4-6323-6C18-000000007402}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.505{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596D6CBA53C3550B1E81920BFFF9D39D,SHA256=1ADA9706DA62F97A429A2BF416E988CD579A569139AB5907511449292E2BFC0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000274322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.455{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.431{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4,IMPHASH=3BCAD7DA03A0242A2A34491F77EA8067trueMicrosoft WindowsValid 734700x8000000000000000274320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.422{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839,IMPHASH=DC23FFFD2EBC3578D9A77CC0B9DC22C2trueMicrosoft WindowsValid 10341000x8000000000000000274319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.421{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:20.370{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:20.370{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:20.370{E743DC12-D54F-6322-0B00-000000007502}628712C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:20.356{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000168790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:17.000{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55350-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000274318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.420{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=68C7867BEB2A710D14B70D96C4D7DE4E,SHA256=DA093049898D4608579C739B6A63DC98A3FBA57ABDDBFB94C48D2A8335BA0CBD,IMPHASH=02FB3A0617EDCFE43788537F1544278CtrueMicrosoft WindowsValid 734700x8000000000000000274317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.419{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=48821439687840212B6457EDD266FA1C,SHA256=F3E9CC2B98D7E0CEBCFCC7906926E839436358437EF10E335CAF7FFAB9E13DC5,IMPHASH=F55036BC63B11DD610F1F8CFD77D76A7trueMicrosoft WindowsValid 734700x8000000000000000274316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.417{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171,IMPHASH=5C77750BF609660A7729B242FA74E98CtrueMicrosoft WindowsValid 734700x8000000000000000274315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.417{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6,IMPHASH=228F99E8B005CFF18296089AF6DEA022trueMicrosoft WindowsValid 734700x8000000000000000274314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.412{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0,IMPHASH=2B9681B9C7B5E00CD2814399F4685385trueMicrosoft WindowsValid 734700x8000000000000000274313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.262{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.261{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.261{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.243{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000274309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.242{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000274308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.241{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000274307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.022{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000274306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.021{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000274305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.020{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000274304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.016{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000274303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.014{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000274302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.014{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000274301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.014{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000274300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.013{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000274299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.006{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000274298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.006{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000274297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.003{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000274296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.001{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000274295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.001{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000274294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.001{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000274293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.001{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000274292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.001{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000274291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.999{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.998{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000274289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.998{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000274288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.998{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000274287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:19.998{6820D070-3FE3-6323-6B18-000000007402}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000274490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.904{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000274489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.904{6820D070-3FE5-6323-6E18-000000007402}12725492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000168797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:21.526{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD0370FB0FBFF2E844BBD430B1D14C2,SHA256=8F33DF287DCFF3498166DBF4562C86440C83916AF100642D995BF01174E4BC7B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000274488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.896{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000274487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.895{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000274486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.740{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000274485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.740{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000274484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.739{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000274483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.738{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000274482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.737{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000274481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.737{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000274480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.736{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000274479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.736{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000274478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.730{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000274477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.729{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000274476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.729{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000274475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.729{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000274474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.729{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000274473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.728{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000274472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.728{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000274471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.728{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000274470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.728{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.728{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000274468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.728{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000274467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.727{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000274466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.727{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000274465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.727{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000274464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.727{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000274463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.727{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000274462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.727{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000274461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.727{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000274460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.727{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000274459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.727{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000274458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.727{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000274457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.726{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000274456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.726{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000274455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.726{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000274454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.726{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000274453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.726{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000274452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.726{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000274451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.726{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000274450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.725{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.724{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000274448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.724{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000274447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.723{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.723{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000274445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.721{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.721{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.721{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.721{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.721{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.720{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.719{6820D070-3FE5-6323-6E18-000000007402}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000274438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.014{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-65483-false127.0.0.1-25smtp 354300x8000000000000000274437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.014{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-65483-false127.0.0.1-25smtp 23542300x8000000000000000274436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.579{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BCDF229ADB397E18E4F565C60415F56,SHA256=A4B286F778F2B40F4103A17272C128095293C4A13104E71A09C0F23518833A40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000274435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.229{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000274434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.229{6820D070-3FE5-6323-6D18-000000007402}77566640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.229{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000274432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.228{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000274431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.073{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000274430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.072{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000274429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.071{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000274428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.071{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000274427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.068{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000274426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.068{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000274425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.067{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000274424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.067{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000274423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.061{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000274422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.060{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000274421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.060{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000274420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.060{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000274419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.060{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000274418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.059{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000274417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.056{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000274416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.056{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000274415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.056{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.055{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000274413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.055{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000274412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.055{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000274411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.055{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000274410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.055{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000274409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.055{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000274408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.055{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000274407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.055{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000274406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.054{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000274405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.054{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000274404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.054{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000274403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.054{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000274402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.054{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000274401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.054{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000274400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.054{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000274399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.054{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000274398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.054{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000274397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.053{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000274396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.053{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.052{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000274394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.052{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000274393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.051{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.051{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000274391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.051{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.051{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.050{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.050{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.050{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.050{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.049{6820D070-3FE5-6323-6D18-000000007402}7756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:21.013{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8E10B9F4BC021868624C63A9BA7D24FC,SHA256=E50A0F925462C0EB35670081F25803CBE68C69028996CFBDBA5A094A823F1BFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:21.040{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BB3CE24ACD27A4BD22141A1AF974EAAF,SHA256=1A7652788857DD4B4D64C513FA7E52A0BEABAB846683F80E6B485F8E4DE5B5DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:22.920{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6975EB9FE505D5B9957C210154C6967B,SHA256=47697A12E9C9FFBBAE05F156ED1FE3FA0F82AFDBF8160CD989D2F8B1BEE25209,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:22.565{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E884087E6962BC9AEFCD8F2C16B02D5D,SHA256=FB05F43F605EE6A1A364F862ED879C2154D2BEB7A6690B2BBCAD9C669855A9CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.552{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65485-false10.0.1.12-8000- 354300x8000000000000000274495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.084{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-65484-false127.0.0.1-5000- 354300x8000000000000000274494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.084{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-65484-false127.0.0.1-5000- 22542200x8000000000000000274493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:20.491{6820D070-3FDE-6323-6718-000000007402}6008testgoatsmtp.com0::ffff:127.0.0.1;C:\Temp\agent_tesla-deob.exe 23542300x8000000000000000274492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:22.112{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC043E323523A961D1535BF89B5D00DF,SHA256=3C6EA5AF4672A237F5F4D97A02D87BDA23AA1939B6AF65FB1E70380C92171582,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:22.109{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4957E65D9EBF3599D6400E48D270ACD5,SHA256=7F607B5C7844337DF035635079779918DD1C084B301A874A72A7C129E16FE4B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:22.505{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:23.615{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337E19EF94B1FC39C24485C53E412241,SHA256=318CDB87788E1A2C96558D5A0E272A3FCE1B4DCA31019181FCA18ACC6C7C7DDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:23.771{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=84D34EF41B8C8A8AC6553F7039C0CE5A,SHA256=090B2D11264B95955DFDD3F140925F2CA9BA6545402CC928672A7841BEEDFBEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:22.035{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55352-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:24.765{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A411740078AEB7EAE90BAFCE542E7973,SHA256=5AF2AD3B367259138AA5276B6FA0EFA45D656C6C13D87AB0F18F4E38A3B072FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:24.031{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47EEF52DF1BB0FC948CF54350417AEC,SHA256=388F677FE971669A9D9FC2894321E943553D37C6518E2DA48FC0BCDC48A40C08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:21.334{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55351-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000168804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:25.817{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0091C60F39D2F7D118F806EAE83DE94E,SHA256=6E7CFFF368F97FA6D544A6157DD3EEB50F4A1803C50E4C4DC61BF036A0BA7196,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.691{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.686{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000274523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.614{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\21015MD5=7FF99B8135C43B69413F0F6D437840D7,SHA256=8349BFD861A11821C1D4F5FACE8849F2A90C170C9C09EF7B70673E2202E1C0A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.613{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\24393MD5=76C1E01B485B0EEA7BBAF585F7F632F1,SHA256=2974AC1813D9C76C92BD21F686BDD15791C7AEA6C1A062B05177E4D826AC5746,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000274521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.267{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.259{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.249{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.244{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.229{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.227{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.225{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.223{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.215{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.173{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.159{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.154{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.147{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.135{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000274507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.131{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000274506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.127{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000274505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.125{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000274504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.118{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000274503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.114{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000274502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.071{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 10341000x8000000000000000274501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.068{6820D070-DD11-6322-8606-000000007402}52805340C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013580190) 23542300x8000000000000000274500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.042{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204996FBE0BBD084233DE8E34A18C5D4,SHA256=4D8B9E7E235CC976339819DF8F77D4CAF2EF5A5349B5CEDC7DD4403C515E45CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:26.881{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C31B82178E534D76ED6C7CFDCB2A7E8,SHA256=E90A81D0C7E25ADB5BB6248DCC37689397CDD8ACF032E956A42038377FF47855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:26.260{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0772607AF7375029B08A2BB55D834305,SHA256=1B2E13D4FF86569F6BC77117F7B93B8C10ED473E5E663A892DF7E460E80665CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:27.921{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8A90E24B8673DB0EC6B449C89DFFD3,SHA256=D8B0E8B50BF75368C4DB386F6E8987369A02F6B2827FE0566687E6D7A4CE2F57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:27.957{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:27.957{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000274534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:25.642{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65486-false10.0.1.12-8000- 10341000x8000000000000000274533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:27.722{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:27.722{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:27.706{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:27.704{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:27.697{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:27.695{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000274527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:27.367{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B0E92D825584899A204C3B3E15E7B9,SHA256=210E6662ACF48BFE5720CF231151E72FEE686C1097D43969728A0CA3CB742DD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:28.962{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11AAC5DFCC5F9219BB0FE724B0994D7,SHA256=8591038F28AB070DAB17935111E4CE7AE433B6D986583E3D55CCD5C0E11F8F52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.567{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.565{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.563{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.561{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.557{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.553{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.551{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.526{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.523{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.517{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.515{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.510{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.504{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.501{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.493{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.491{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.489{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.489{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.488{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.471{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.469{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.467{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.465{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.453{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.450{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.445{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.442{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.438{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.435{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.435{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.429{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.426{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.405{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.399{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000274553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.392{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A515180D826E8F2AB78842D0A227CAF1,SHA256=1CC4C68416A048EEC60F5B8C436413A9CB8CA33D81764424351B5EF28FDB943D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000274552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.357{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.352{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.331{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.318{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.256{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.249{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.237{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.231{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.229{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.226{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.222{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.220{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.219{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.214{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.213{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000274537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:28.210{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000274589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:29.748{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439CC468E8B30FE4FE8BE09CE742BA20,SHA256=E70DB88FF71CE8299E93E305A0EE3399E81A979D21A43F4C69370B5BA368D7B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000274588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:29.726{6820D070-D2F0-6322-0D00-000000007402}908652C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:30.825{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A920828058F3431D5286A20664AF1AE0,SHA256=E0A852AC47B0F1C1505E497DF47434F964C29950A8B4AA35D41F5372B2567890,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:30.002{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B64B3DB31F59D4AAD16D3083101C563A,SHA256=7B1583FF73AC5143A7693CDE32D69C7E2078707D18A461B92EB52E0C0ADF8564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:31.835{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856B303DF63C01CA8C8A37F97781690B,SHA256=A82CFA014D3BCB88005A3F1D57DDF5B1E267CF989B36EDAD2BEAD35CB64D9DAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:31.323{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=07D8A492A536C8612998FBF8D80EF395,SHA256=99C93423B60A5ED8089EAFA61F089B88C33A93C3B8661D8F27B07B35F7B0B69C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:28.017{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55353-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:31.059{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0974ECFDEE928DD2958DE46C22CF37,SHA256=8EDEEF968B133AA0D9A7D38B9B8463CB56EDDF669434659E540A99EEBC48AAAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:32.108{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A4D9C1ABB8DC7C12D63BCE34213F14,SHA256=C651D68C8C496F014BF0A925919614561DC4D354F48E9ADF4795B7DFD93D26A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:30.663{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65487-false10.0.1.12-8000- 23542300x8000000000000000274594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:33.149{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC7D9FA48DB605994A9F68FA6F98244,SHA256=FA9AA088F406901CC18BFC9E915F26D9DEED16A20E6796C081F4C595CC2C2AB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:33.148{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A78D377B9A61E3505390441401AA05F,SHA256=D68E0B109A77E7046904E8065775AA281A2D9FAF81A3C1DFDC46B86F81184746,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:32.793{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal55794- 354300x8000000000000000274596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:32.790{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal52116- 23542300x8000000000000000274595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:34.356{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24269910BBA4E1329AF27E3B14057BA3,SHA256=E06B8689B204C1509E5A1430A03D35E780644571DAFDE07877C0856B34EB0F64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:34.222{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4C9980DAA37EBA5E9DC48762AFD961,SHA256=C02589CE29FD9BF3721A7C82FD1334CC52D2F08FB0195583F4AB73DE70FFBBB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:35.463{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1598603433DD7BB8D821C1F3606E4A1A,SHA256=639A0766251045E5D06F3453C0E8011106DE25D1359EA3EB65B6EC454C1586A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.786{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=A3CC40A1BD79BAFF1E9CA35782104A8D,SHA256=91D11C2AD5AD1D7C7BA284AD413FA3BF3C9A39759582AE5D2946A1EA51AF2F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.786{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=6E1607E86A97911935361CB06FB57360,SHA256=5933F816C9B34DC69AE1F460CEDD68E318D1F941755868C1D8F29F7E3C5E5DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.786{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=8DA6E5849D274FC8B7154DB66436FB2C,SHA256=DF5FB9A0ADBD3180B0DB6E0D067CDAD36AC83CE8FD3F6BD52450FEE727B26629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.786{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=23FA5B45C3FDCAFEB9C5F69B313E02CD,SHA256=16070A6033AF47D6A46E5990C711ACCD6710ED6BCA7D1BBA6BDDF4E01FEBDBD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.786{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=5F91C846C68C472B3A663790F978EFAB,SHA256=2FE6F32DB7185DA5E1093357A8AD3B9B36B5B2017AF2678195706A0548E44231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.786{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=EEAB0C797BDEDA31101740C91B10B5CD,SHA256=C948DB5E9CB77E47D4AC0AF656EFF8833400AD9C5C0C0B08434456A6C9603639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.786{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=26C2EC753E906171B8D28703EEF15CD0,SHA256=11773523267A20541513861FB66B9338C88BAC6E96AA7A6DFCB957C35B61CD31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.786{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=DA5606E659476878ED6A0CE7BC5C1E09,SHA256=7A0CA5892CFE0A0A959BBF1281C32EFC679312EFEF1960AA8F17C94C1503195D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.786{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=05D14AB4EA3E0B7E122DA4E242658D52,SHA256=E463EEB72D4ECC0F09DA92A8D9EFF1589B1FCEB36F7AD9DA5E99FA68B6A246C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.786{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=4D4F53FC0DE8838F3201C7CCC5442CB5,SHA256=70C73C0378E63C695BC0E457CF7F9FA8D54DED2778A0D3C669C86E8B0C2C1484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.770{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.770{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.770{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=BDC4600D694857C5C30A2206E495F697,SHA256=06010E94CDA1CC889F5BC1A1D0F9F89B34F625888D58B0B92AF5B530658C14E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.770{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=A69683A83F9731641B26F879332CBA9E,SHA256=B77B12174EBE3B89117884C173E939A9337C73E19FDF41B578C7EAA58826E68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.770{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=AE875D3597C85292CE5EE715E88D7A0E,SHA256=61F38FDC294F2E991BB4C9D902138B28CC06A8C0A7AB6EBB9866D3BE5ECA2E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.670{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=ABBD67EDCF447393C30471E4A67BEC5C,SHA256=63FCE568430C2F4937214E5A9073683AB6058D193BD63DBC00489C9CF3BCC34B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.663{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=FF5912A2BDA2A02AED651A1E379B4E0D,SHA256=E9770848180D97187BF44AB3AC737A0B3BB39AD21655364B6C3C2C8C325435E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.663{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=985870D598C8DFF88D7D0D11B730FFF0,SHA256=276591302AACD2E2AD21B2D6BB63CA8747BB1CC14EC619D2572553FB9148BF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.663{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.663{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=AC9F51191434467967C72D07EFDDD601,SHA256=423D8B3848C061DCC6B0566BF12E226D82EAD11941B407B00A292F28DC59468A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.647{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=C9C2D7679928DB7CFBEB735BFA0625F6,SHA256=CE8276832F86E9A6676FED2B6F4029EFE3935FD22B93DD2AEC49A412C6130734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.647{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=055B82288C1E59EC3ED9420C456EBECD,SHA256=875FD50032B8B7A6402710CCAE8528E1105723BF5DE41FEFDCE6C867C3249586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.647{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.642{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=0FF6155B864C146DD706BB3E8E739599,SHA256=14E65C21C10954B62410AEBB134E7DE0559346DB81488F523268C27CF673D494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.641{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=C250F1DBD756FABB2D1243190C3FC606,SHA256=B838C78E75B1FE9D824D45540372C95096618007A4022E3261BD2A71558AD9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.640{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=4ACB7601E037A79BE3524A63BB045139,SHA256=A2653D0EFA91E16819103168632AB17658E7CF7F7549508C06CE96711D3B4665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.639{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=20186F9BC12FA59899036235FF762518,SHA256=DC3963B1EC73FBC6BF1DF8C807ACB5694F96B392D2CA3A5D7A712237C87037F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.638{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=AC3DB405778811C611BCBB41572A6A21,SHA256=C65468C28859D0ED08F4533AA008FBA4B314A5C5636AAE1D8A1A2B3457599AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.636{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=6705E7EC8B711429CA9A19E666563F50,SHA256=B6295C97296B0FFF2310ABF27A53DCD9F5771434141102504CB446D478ABF1E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.635{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=D0F0B25897386CDB2B0C85D716E89A12,SHA256=A17A64B9D633E7CECEA1760BB09E70BC89F6091A36AA7D35DFCCFE7A1F1494BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.634{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=204437ABAA87A0BF5F303EA95F546741,SHA256=7FD6A5E04E5F87457A0F0501D2D4E98141543EFF685601CA07A98C2BBA8512C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.633{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=E2EFDABEF4B417ECDA297FECBE6EAB05,SHA256=6D359DE7EF690EABBBBC54148E162ED3E2D217C186C318C3965ACDE85531D07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.617{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=9FEA066CDAB9CEF7AA4450EC45BFD5EE,SHA256=4F0401FF00E449DA739F600CFF1DA22D53CAEA91AEA938CBD8467E855E5DB281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.617{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=88B9BA950DC45A0752A8E8115CCA8261,SHA256=9C83AFBF5C1F7ECBCC8A6379A18900546C01B9F6550BF4EE93453161D926E379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.601{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=055B82288C1E59EC3ED9420C456EBECD,SHA256=875FD50032B8B7A6402710CCAE8528E1105723BF5DE41FEFDCE6C867C3249586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.585{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.501{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=A69683A83F9731641B26F879332CBA9E,SHA256=B77B12174EBE3B89117884C173E939A9337C73E19FDF41B578C7EAA58826E68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.501{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.485{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=985870D598C8DFF88D7D0D11B730FFF0,SHA256=276591302AACD2E2AD21B2D6BB63CA8747BB1CC14EC619D2572553FB9148BF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.469{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.447{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=ABBD67EDCF447393C30471E4A67BEC5C,SHA256=63FCE568430C2F4937214E5A9073683AB6058D193BD63DBC00489C9CF3BCC34B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.380{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\oka5g0ws.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:35.291{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427F16C086C8A08700CBE7BDE08582F9,SHA256=93912E887D740CD61228FBF81E72857ECFC1314921413FBE5FEC73F6C01C2F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:36.577{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6683DD0ED9EF4B7B87B10DC5C958BFE,SHA256=F3E9436BA2BD495BDE5935D2D36AEE697041C911597F4952D435A6FA088C3DBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:36.669{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131EB8B1DF725F5F9059F4BA2CFE83A4,SHA256=BED823F83D7E6957A164A644531BA56921AAB00491DC947DDAFADAECBA7A277D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000168859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:33.019{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55355-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000168858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:32.182{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55354-false172.217.2.42atl14s78-in-f10.1e100.net443https 23542300x8000000000000000168857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:36.303{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:37.886{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5468FCBAB91F9F328B0A4143E6107852,SHA256=8CE159BB687787B1B516CD0FA60DFAC4ACA08EF0819EDF2BCAE26597143799A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:37.994{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:37.985{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:37.975{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:37.965{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x8000000000000000168861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:37.370{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB0B0B85D63682CB7A3309DFDB78EA7,SHA256=098956C90B26BE509ABFEFD7939B9850F125D33D9D201983C0D13A0C4279EFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.857{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D47C85C125B39EF92368FEF39E0D7E9,SHA256=FA0BC6F1D9AF133966FC931E0423D998DBA8459DF9D5477CA1894BB1FC76075F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:36.575{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65488-false10.0.1.12-8000- 10341000x8000000000000000274602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:38.337{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:38.336{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.347{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.345{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.342{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.337{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.335{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.320{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.319{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.319{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.315{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.312{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.309{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.306{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.298{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.297{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.272{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.255{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.237{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.213{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.205{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.195{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.189{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.187{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.184{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.179{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.178{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.174{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.171{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.170{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.164{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.163{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.161{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.158{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.150{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.147{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.143{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.131{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.125{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.110{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.099{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.061{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.048{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.041{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.033{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.017{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.011{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000168866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:38.004{E743DC12-DCF5-6322-7D03-000000007502}55365748C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x8000000000000000168913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:39.961{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1330E406593E3B9F437CC197756381C3,SHA256=0A15784234570CCBC763A1DAA7FA91878883868F8F1D2947B76E2D4F9DABEEF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:39.098{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F2A5487CCB8BFD7E1F6D3109D44C91,SHA256=A3B891D61CD7AC385C4C7846616A2C108C5A48424A199582E2FEB389193270F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:40.208{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3798E99D9D5A39565C7AF35D7E82483C,SHA256=F5EE03EC0651A9A758111B7259F1BADD594648AD9B57BD8FEFCA8B21C480CCFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:40.259{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=30FD33A2E0B152D84B35FA00F6B0FC3B,SHA256=49C11DD37F6707A509268353279F2AD04F107B3ED2CF1B919611927B9D370948,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:41.706{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:41.706{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:41.218{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABE1A18EAB2EB9AA7A9CD04E71839C7,SHA256=3E47884137B760468318CFD1B885F078B0BFB8D956C95F5927B961A5B0BA7075,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000168917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:39.327{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55357-false169.254.169.254instance-data.us-east-2.compute.internal80http 354300x8000000000000000168916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:39.025{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55356-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:41.047{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D435A8E40B3DA22F3400101A2E303CCC,SHA256=742327C519E922E4E214AB21FB36ED8EDBF0E726FF48E9FB45369B7CABB423EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:42.341{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B99C9865F58944BCD6A6464A633B6C0,SHA256=8E094B1A44BDB51BDA2806840421438999807D3B1E24AB9B4E12B01EEAF923C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:42.078{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E3F2D711D32708A5340558565AD1E5,SHA256=C277DECCB033004B61883FA72E878A1C7794F5EBC0C35E5998879B6F8C47B370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:43.654{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7FA2956B4F183F88C0F3E70F2FAE22,SHA256=E672022383066C6A6F91C6ED6B4306677914FC6F825B39B8048D638FBCA48CD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:43.117{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62DC1AC5E31E0AD6B3F5C2829D76851,SHA256=565D360E83C2D99DF00D0124D2890C1C684619FEEDF3C2F2864B252BF6E7A2E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:43.014{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:43.013{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000274614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:42.485{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65489-false10.0.1.12-8000- 23542300x8000000000000000274613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:44.659{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41DA5A63534CE9EA8B710387FCBC9309,SHA256=C4CB772458E231865F0D96E04AAD43AF49537007E185EFFB26DE6E880DDF667F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:44.165{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5796C6108784CA5D851FE12CA7CF6B9,SHA256=84E5D5759B890DFAFFC26EA508E5B7D0CABEFFC9F1E8F2DBC8DD35F06BF6C100,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.753{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.751{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000274638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.684{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCDD38E83C00D370D14753FA14033AB2,SHA256=853AC72BC8A48E981DC2541FD7A6BDC5C6014697D06AF5981133FFCE29B31ECD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:45.205{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68EC24D7148DE6E75303CD9A15E6E59,SHA256=3B78C20D7A81B31F0FF0D75D14F94537B2C55967D83819D7A8CF484EBA7019C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.302{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.293{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.280{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.274{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.262{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.257{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.254{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.252{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.233{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.207{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.192{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.188{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.179{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.171{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.163{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.151{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.143{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.133{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.125{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.115{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.115{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.085{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:45.082{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000274641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:46.693{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6EBE1B6DE23EF18C77C4305DE96A3E,SHA256=F626AA40170835737389775E61F2BB945575929FF02BAF71E34EBD93D50FE39D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:46.239{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA90A92B5A6AE4BFADD84A190E935EB,SHA256=E96ADA21F1EF8B2EAED61EAA018E0A2672AB166E2845D82EBDD1D6E4E2ABBD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:47.802{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63AEF520D465CB351D097E03E670C186,SHA256=A4EABF3CAB9C9C89166BFC4FFA5863B989D229D85A7DD788E5D49065659B80B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000274652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:47.764{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:47.762{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:47.758{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:47.756{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 734700x8000000000000000274648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:47.732{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000274647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:47.730{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000274646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:47.728{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000274645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:47.727{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000274644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:47.726{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000274643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:47.725{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000274642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:47.723{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:47.710{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3FFF-6323-840F-000000007502}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:47.710{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:47.710{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:47.710{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:47.710{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:47.710{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-3FFF-6323-840F-000000007502}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:47.710{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3FFF-6323-840F-000000007502}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:47.711{E743DC12-3FFF-6323-840F-000000007502}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000168924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:44.967{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55358-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:47.272{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58226BF66B0D96C7CB1437E9B9751D50,SHA256=522F29D3AA669CD9B6F5705AF964FCF760A47844FEF9CD4CA9CDDBE4491E7EC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.952{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-4000-6323-860F-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.952{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.952{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.952{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.952{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.952{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-4000-6323-860F-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.952{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4000-6323-860F-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.953{E743DC12-4000-6323-860F-000000007502}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.790{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A50FD859C0249F1EB5750E6D02C24A5,SHA256=856D02DCDC1C6F821BB0B20EB6F8577595A38CF21C25ABD62E679F19A597AA37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.474{E743DC12-4000-6323-850F-000000007502}26883288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000168942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.327{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5523F0750AD22AFC9227F4CE93A4835,SHA256=2F72F261AA60021E60820A6E5FCB12D132CA2C2D44CB4C149A3B19E8FD730824,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.311{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-4000-6323-850F-000000007502}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.311{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.311{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.311{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.311{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.311{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-4000-6323-850F-000000007502}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.311{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4000-6323-850F-000000007502}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.312{E743DC12-4000-6323-850F-000000007502}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.602{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.599{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.595{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.592{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.588{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.575{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.573{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.546{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.544{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.536{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.532{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.524{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.520{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.515{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.509{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.503{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.501{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.501{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.500{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.483{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.482{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.479{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.477{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.464{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.463{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.460{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.457{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.454{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.452{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.452{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.450{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.444{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.434{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.432{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.397{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.396{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.369{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.361{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.318{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.306{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.294{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.287{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.285{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.282{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.279{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.276{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.275{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.271{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.269{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.267{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 734700x8000000000000000274655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.067{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Drawing.dllMD5=10E731CD4FE19798054F2D564012364F,SHA256=F23C4888571741A8528631F72F21F061F936626F11CC43FB851DC1A2D73B2E9B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000274654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:48.067{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Drawing.dllMD5=10E731CD4FE19798054F2D564012364F,SHA256=F23C4888571741A8528631F72F21F061F936626F11CC43FB851DC1A2D73B2E9B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 23542300x8000000000000000168933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:48.169{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5BB1412BE08D5E2BC64BFB7E448C45D0,SHA256=9A3E228AD1A373131848EDB2468377CF8CC40DCC1BC56D0F4E83ADCE84475E70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:49.777{E743DC12-4001-6323-870F-000000007502}3408924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:49.566{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-4001-6323-870F-000000007502}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:49.565{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:49.565{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:49.564{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:49.564{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:49.564{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-4001-6323-870F-000000007502}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:49.564{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4001-6323-870F-000000007502}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:49.562{E743DC12-4001-6323-870F-000000007502}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:49.375{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F568E453F9CAE6D4FEEC38CAD2124A30,SHA256=41E88338C659013C6D41FB919483B2759C67C87FE1E5B857F8C9FC2D5DB8A901,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:47.518{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65490-false10.0.1.12-8000- 23542300x8000000000000000274707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:49.092{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080BA7C8CF77BBD0515671D1C6EB97EE,SHA256=9395738B125DA3B4CF7DDAE3C5134FDD6E0DF1909C2482B44995E2CB144145A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:49.090{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D5A98267FC0E5B3B2FB88275D64AA8,SHA256=494435E28D4151CC919BAAE67AC4F5A063CC4D036933A0AFECB64150336627EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:49.139{E743DC12-4000-6323-860F-000000007502}51166020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:50.216{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:50.216{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:50.105{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE8E33708EA09E1292162FC0EE28407,SHA256=01C656CAA1188BF3F8F51E8CF61DED8F52F588A2A463DED54F072CC7F8EA74BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.700{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-4002-6323-890F-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.693{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.693{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.693{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.693{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.693{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-4002-6323-890F-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.693{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4002-6323-890F-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.695{E743DC12-4002-6323-890F-000000007502}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.469{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD6C663CD01E5270DE95F3329CC2363,SHA256=2C2CF600D402FA9510667FF98AF1BAA04450FD0B6551C8507AD7762B4233E8CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.156{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-4002-6323-880F-000000007502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.153{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.153{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.153{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.153{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.152{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-4002-6323-880F-000000007502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.152{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4002-6323-880F-000000007502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.150{E743DC12-4002-6323-880F-000000007502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:51.517{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8B7D29AA9261E8F4347F43EF3E1EDD,SHA256=0EE1DDC4338B111E020062B2995736109F5AB34AEAB214B75DF61F702D30D59D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000168990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:51.517{E743DC12-4003-6323-8A0F-000000007502}22964960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:51.418{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC20AE7FCD8496449314FA53220F2D2,SHA256=E53DECFE06284DE1753C8ECE1A6393E7658C8EB6B598BF03FD79BED1F87E0CB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000168989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:51.294{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-4003-6323-8A0F-000000007502}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:51.294{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:51.294{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:51.294{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:51.294{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:51.294{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-4003-6323-8A0F-000000007502}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000168983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:51.294{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4003-6323-8A0F-000000007502}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000168982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:51.295{E743DC12-4003-6323-8A0F-000000007502}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000168981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:51.240{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=94C635249E7E4404638297945D852EB5,SHA256=EBFA80B3FCF935B8CD472B4A5AE3FD127236B010563C0077AC1C8AFC066CFA91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000168993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:50.054{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55359-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000168992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:52.568{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A5808BECF16FA6C1C11834DE234339,SHA256=CA78D9F34604103B831A5A9BBFF8A1E7F63C839D2CEF2A556574E827A50857C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:52.429{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598C83B577F047A65C23F6E63FA7505A,SHA256=65B5C39628431C9707C6AB633928E2ADD870DD545AA4384485B8FC3935071FF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:53.600{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A30BB8693E87192D2AEBF46B4494073,SHA256=B5040A10718879496C3B3D753192CCAD833F51367615BA7F452D190FDB052B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:53.998{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F84D61C18C85DE89B1722CC3DF38524C,SHA256=C594E7173CE797678E2DD29DBAE406F747884C74357B870498D78129AB134449,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:53.439{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77FB8379ABE0FC1283B75DA62C3854C0,SHA256=BF50C520DDA55DBCE3612F1715302ED46D1994CF779DFC8CD7EE43082989748C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:54.641{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0A0E57B575413B80728AF492D55D48,SHA256=A6770D11B44F959CE5E3F43B317E7F4CD096A1BA7764CA5C224FBDD0B602B45A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:52.672{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65491-false10.0.1.12-8000- 10341000x8000000000000000274723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:54.734{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:54.734{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:54.731{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:54.728{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:54.728{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:54.727{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:54.727{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:54.448{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12488616F2AECC7EF41817112617F18,SHA256=C2BADBBDA9E3878E5DC22F3CA7B3C9631FDACAF1C4D725F811985CE0CA98362F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:55.727{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B800F3004649180071257BA75E01CC1,SHA256=831E27A7A5B228F2A75511E443558870905577B50486E6CC2F4FE2C52C59C78C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:55.632{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\2163MD5=83C5A87B801EFE35530BF4A50C890B39,SHA256=DA9B09C904D359CE6248DE43096274EC9CA770190960608732DF9E176C808506,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:55.462{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD122CDE24ED8B165B3DFA890DAC16ED,SHA256=5314FB0E453E38C78F8DC9E3922CAB63BED44161F45DA16079CE5504AE34AF8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:56.806{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AADA1BA6960FF98B4D6ED27871E9993,SHA256=F685938CF9840CAF5E4219E75291C35FB8BE8467DBEBC0612641E9DAF27F61C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:56.467{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903FDEE7FCBE930A47AF82EED7723818,SHA256=AB7DE7C1D2CE205D5E042D1813D775733D2F1D1A147BC15201D0F62BCC1D0AF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000168997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:56.517{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-443MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:57.805{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:57.804{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:57.804{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:57.800{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:57.800{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:57.800{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:57.799{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:57.472{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72567AA0BC5101EB3104938271D40466,SHA256=AB5E238A4D4CA254FDE576DA500468E98AB78CEBF55CFBE0F8E1BC7AE01C1D1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:57.996{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:57.989{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:57.979{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:57.971{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:57.963{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:57.961{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000169000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:57.846{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A27B955F43CD5AAFCCC8D82BC4F996,SHA256=6ED02ED618B05EDD92F52E8EA4DE1ED0D8F5B8A9CE2E2A23FA7489652E4A4042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000168999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:57.515{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-444MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:58.687{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1609B2A7B778B8CD7836D08CCB9797EE,SHA256=5F098EA46B5DFBB53B66A32F9AC720A0CE94FF5F616711AFBD073E3E443E2BDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.894{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB511820B184560F7FB898B039012E17,SHA256=B372887CBEBDD50B82FC1ADC6E475C2943F9DCD4C338791595051174664BFAC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.448{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FEA6F70B50145BFB8470779E73A3A35,SHA256=E2C86AE39BD150FC72E4B5695B138BF58D6DC76FBCFF06D547CDA29A7A539D6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000169050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.288{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.286{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.284{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.281{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.280{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.263{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.262{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.262{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.259{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.256{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.251{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.248{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.237{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.234{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.217{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.202{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.194{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.169{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.163{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.153{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.147{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.145{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.143{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.140{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.139{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.134{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.132{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.130{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.128{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.127{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.125{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.123{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.118{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.114{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.109{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.102{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.100{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.083{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.074{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.047{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.037{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.021{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.013{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:58.001{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000274740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:59.799{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68EC25947BAA677CA5F0DAB806287C5D,SHA256=65DE6D92B86A7C32245FD9DBD0B94046736175880381C5801607B0546720AF6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:55.973{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55360-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:08:59.957{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1D041743C89613A9778774B64D96D7,SHA256=A9CC59C0F94DB179A9C09C989AAE849A7765D4B4471CC7E6DC3FF81A13458C9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:59.073{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:59.063{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:59.063{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000274744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:08:58.632{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65492-false10.0.1.12-8000- 23542300x8000000000000000274743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:00.913{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F97E678C385EF27917A28624F54E7A,SHA256=8155F41696A259DAA78DFA8047B81BC6118B92E7E4C9051D6448CEA99823486F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000274742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:00.623{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:00.527{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7d109|C:\Program Files\Mozilla Firefox\xul.dll+e7d3e8|C:\Program Files\Mozilla Firefox\xul.dll+121687b|C:\Program Files\Mozilla Firefox\xul.dll+e79d77|C:\Program Files\Mozilla Firefox\xul.dll+e5eae7|C:\Program Files\Mozilla Firefox\xul.dll+1f88572|C:\Program Files\Mozilla Firefox\xul.dll+1a9930a|C:\Program Files\Mozilla Firefox\xul.dll+1a9be25|C:\Program Files\Mozilla Firefox\xul.dll+1887aa0|C:\Program Files\Mozilla Firefox\xul.dll+1c8a8b0|C:\Program Files\Mozilla Firefox\xul.dll+1e3b9f6|UNKNOWN(00000104A8127F45) 23542300x8000000000000000169055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:01.013{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181816F60585C90F1C432BE315CAA19F,SHA256=71567AEB7A4EE25630724F18B9513E6231DC6F03160B815F6D7F4AA5BB70A4FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:01.189{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7d109|C:\Program Files\Mozilla Firefox\xul.dll+e7d3e8|C:\Program Files\Mozilla Firefox\xul.dll+121687b|C:\Program Files\Mozilla Firefox\xul.dll+e79d77|C:\Program Files\Mozilla Firefox\xul.dll+e5eae7|C:\Program Files\Mozilla Firefox\xul.dll+1f88572|C:\Program Files\Mozilla Firefox\xul.dll+1a9930a|C:\Program Files\Mozilla Firefox\xul.dll+1a9be25|C:\Program Files\Mozilla Firefox\xul.dll+1e9f8e6|UNKNOWN(00000104A81232E3) 354300x8000000000000000274751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:00.521{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65493-false13.69.116.104-443https 354300x8000000000000000274750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:00.419{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57771- 354300x8000000000000000274749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:00.419{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63105- 354300x8000000000000000274748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:00.415{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local51905- 22542200x8000000000000000274747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:00.912{6820D070-EFF0-6322-ED08-000000007402}4396onedscolprdweu06.westeurope.cloudapp.azure.com013.69.116.104;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000274746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:02.226{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836A08D2F4CF64F0234C31151C8D898D,SHA256=F366AFC08F55F8FA1DA6C2347CD68D7979C5E29E9DE099B84F2CACEDB804EF93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:02.069{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F210EFB2DCD44B4D2DCED3E72D0E385B,SHA256=67498918195502A4CD0B25503AA4B5A0A9029B63C3C42EBAADF3D8686D71126C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:03.102{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAACB96C3E5DDE47C3C29B16977CFBB5,SHA256=DF7708DACDD6605141D2C42869C2E33F9029756D6C0B56A621605FC7C29FBCAE,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000274754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:00.914{6820D070-EFF0-6322-ED08-000000007402}4396onedscolprdweu06.westeurope.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000274753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:03.345{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B6A35CAC72314C305E0B5399E737D9,SHA256=8A5E0827C4E9F780B92BDAA1E39012AF25A122975CC8C2527B5739E5BFC18545,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000274752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:03.191{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:04.458{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615DEF4436D195B7671B3902D8BC509B,SHA256=8C8E68C612E3D8707AC88EE8314D54FA3560FFC84E451E739071A0F25894ECAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:04.157{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6420F8A326EEC0CD0E01E12FEDEB3C7C,SHA256=27A62221AB7DD6ABF125D29FAF1525EB18CF5A0DBDEB75976AC244FF3B8027EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:04.346{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFCBFEB5C8AC11E1D885E6D422503466,SHA256=41E871D42C347F5B80975DC61CDF08C96A49EDB916609DE297E68ED82554F0C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000274783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.732{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.731{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000274781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.576{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6AA6C9A03154C5B2BFC1213DD0ABC8,SHA256=258516B0D159536CE0EE25FE90E7A7F798511F60432C55887BBE4E82A09D6C3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:05.221{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6EF087C5307EF3CA4E3D27FD64A17C,SHA256=AB3B6FBB34B8C136DD374FD6A2FD2D065DBAC5F3BB8C1E0DE26C1D72127A1381,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.300{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.291{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.277{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.273{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.264{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.260{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.257{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.254{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.247{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 354300x8000000000000000274771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:02.725{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65494-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000274770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:02.725{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65494-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000274769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:02.402{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59189- 10341000x8000000000000000274768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.217{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.198{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.193{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.183{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.174{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.165{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.151{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.143{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.133{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.125{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.071{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:05.068{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 354300x8000000000000000169059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:01.884{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55361-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000274792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:06.589{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F064D9327302E8EAD812974F3F2C290C,SHA256=D84F7C900B77817D5A1E50F5BCC89DE3C86CEA130EA40B72FD753E00C5EADD23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:06.261{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF5EE29958037D852A33B0A8FCE9A5F,SHA256=0FD9F62DA43F7A0353659B09E399BAA99DC953B8F5CCC113C09397CCDACE21EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:06.291{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\16522MD5=2B84F76C7841556BB54F46CD73BE1A11,SHA256=76CFEC0193362F9AA0A43E3B69A648C30F6FA437A07BF8D784883207EF3793E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000274790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:06.217{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:06.217{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:06.216{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:06.212{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:06.212{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:06.212{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:06.212{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:07.749{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:07.747{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:07.741{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:07.739{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000274794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:07.699{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA7171C1DA7748A2F4D5B0293D6B915,SHA256=C972C2D6651F881BD1B5DE65A25C5C86FA4FF783C6C4443C07AD3D7DC1730C4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:07.403{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E02461C70F8D8518C1E4CBEB94FE623,SHA256=CDDFFBA663BCB118997A08B6C52E7A6BEFEEED0F84D3F29D9E21D3CEF6BB8B9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:04.607{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65495-false10.0.1.12-8000- 23542300x8000000000000000169063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:08.465{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2D48E6CC0DF054BC4E42DA0E6541BB,SHA256=7F83C83D3680D6F6A54159F70F3A492F2ACE7250E705F95FCA730DBCDA51C838,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.579{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.577{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.574{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.572{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.569{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.562{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.561{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.540{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.538{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.534{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.532{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.528{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.523{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.520{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.513{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.510{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.509{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.509{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.507{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.486{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.485{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.483{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.481{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.469{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.468{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.465{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.461{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.457{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.456{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.456{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.446{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.443{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.432{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.427{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.396{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.394{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.367{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.358{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.308{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.296{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.281{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.271{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.269{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.267{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.263{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.260{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.259{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.255{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.254{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000274799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.252{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000169064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:09.528{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA5A865B78EC339D2D7A5E11D5C573F,SHA256=5AFC038C763A94561E921286AB5A4FE4DD731E464D77F2D032790A5F85CB50E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:09.265{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:09.075{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F342EA40F899A13BED0848BC0567CFB,SHA256=93BCF363733D0F0844C4B118B0E8E8FC3C7CE44CEAF39AEFD6723DF347964C0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:09.074{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A31682D8859B93D81B684E620A4F1E,SHA256=53A257B5013FD95B8841314B91A83F9B0315F717EA5A929F56BBA7C0FA8004CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:10.592{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948B04C95D934E3A85CC8E71A05F213B,SHA256=22D51462C507B73AEF8767D5144DB3F7E372FBA9C64E5083FF3F35C0C6720C5D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000274855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:10.703{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Drawing.dllMD5=10E731CD4FE19798054F2D564012364F,SHA256=F23C4888571741A8528631F72F21F061F936626F11CC43FB851DC1A2D73B2E9B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 354300x8000000000000000274854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.739{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local65496-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000274853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:08.739{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local65496-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 23542300x8000000000000000274852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:10.086{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CBF70F765EBB5E89B3483AED1F0954,SHA256=CABB49F6713A70293BE816C7DE8F8E22C601D42E6012F3B47FFF766375E73E5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:11.621{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC3864375AE0075A522A6F35C960103,SHA256=BD0F7575EE2E9BDC5BBD22909C033CB6B63B9B28E18E74BAB2959092A6A6DD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:11.294{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\16410MD5=187E240B990B383BEA15E031B971E5B9,SHA256=40599D830DA2B4D1E4140C0031DBD37B816876219713BD68A78B42625F5580D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:11.293{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\29584MD5=AD4F31489ECDBC742080F9E721D71A26,SHA256=C761EF035FDA6F9502171D2EAA29102F257D54BDE6E9688910508ECB302CB2EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:11.197{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350BCC276FEEA45AF62E3906F28BD7BD,SHA256=52B81E4D91D4730C657194604197CA406F0408BAFB93723B07DAE555FE7A10D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:06.953{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55362-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:12.677{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5FC2E1B7ED0543AD455C9FBBF028A1,SHA256=39B4EF1F0825E1D5DCC05B18FBE1A196529B8BC2064F8AE93BCA61F3694BC775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:12.207{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7552F6F3CAB07F71397FE8CD98C2A220,SHA256=86DD01062015C19C925D8814F0DB7EE04297F904E87B5FD753B3BA29C2BF5222,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:13.801{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119888CB3428037CC2B1A0BADCD377DD,SHA256=3C51F366414940863CD9494700E956C2CA83C8257E55769759DE576E4C382404,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:10.486{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65497-false10.0.1.12-8000- 10341000x8000000000000000274862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:13.250{6820D070-D2EE-6322-0B00-000000007402}628764C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:13.249{6820D070-D2EE-6322-0B00-000000007402}628764C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:13.217{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B6750F3F442C233DA0C900EA4FD475,SHA256=4C190D3D95A8630ADD2C29460104B471354096339517251C823CE8B61D2B9ABB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:14.843{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D662BBCEB5A210F2B4B899AABF857CC9,SHA256=5F20998FC81840BB869F4D78F71FA7D84B23EB4A1D7ADF37697157FC748280F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:14.614{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:14.614{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:14.432{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977E8ACAA7AF34CBD3BCEBCB89B9F7B9,SHA256=AE3C78D4FC0CEAF81280289E4158D4B32951BF5B924981C613D521262FBB754D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:15.885{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466866C2337AA50DA23789A72B60BE2B,SHA256=917878BFA39CB70A1B9775263CF26B697E55D78CAC17584EDD55ACD44B957D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:15.545{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F218FC8106A7B8083BDC5E2A603046FA,SHA256=9FF18423F0476FDB12F74FB69199367CFE27BB43846BD79CC1DEDD25CDA0B7C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000274869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:15.489{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:15.489{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:15.087{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-453MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:16.920{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC976B68672F3FC6391A62D77B30994,SHA256=41DAD4EDE436DFDD04A4C4E6D0636CF769D2AEB76DE102270CE6614082E92B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.795{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7F0E91D191CF207099A109A2B46A23,SHA256=0295CAA3C9C6F0A7C4E0A83EFFE48EF157388B5B21FB520EA47C32F524557BED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000274923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.673{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.673{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.673{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000169072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:12.907{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55363-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000274920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.673{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.673{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.673{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.673{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.673{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.672{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.671{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.670{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.670{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.670{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.670{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.670{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.670{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.670{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.670{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.670{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.670{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.669{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.565{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FBEC8E85416192F565693D46CD8EDBA,SHA256=DA5FEC58F72BE369A1AFA7490102C0B8C90DA9FA7D3EC229C1D66283A0E3C6B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000274871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:16.084{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-454MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:17.973{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A349A82B2DEB28A327FF7609A3AB5D10,SHA256=B7713E1E8719BBD0730A1E440B68F333F417A143ED095321718D9B1788E8C3B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:17.593{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5226FDF1803BED549BA27D3AB255E5,SHA256=4E4B5180185DF21BCA6BBAD3F53491A92CD02CC5CE28F3FE4F9211E301E10E78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.846{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C09D4B49C89C5189ADFD99191A3EB8,SHA256=B87FFC247EC3A614FFE5E9C3B63BD83637BF8E71CA54FEECF0D8AAB1C6079A73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000275026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.843{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000275025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.843{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000275024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.842{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000275023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.841{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000275022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.839{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000275021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.838{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000275020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.838{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000275019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.837{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000275018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.820{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000275017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.820{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000275016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.820{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000275015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.819{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000275014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.818{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000275013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.818{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000275012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.818{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000275011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.818{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000275010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.818{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000275009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.816{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000275008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.815{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000275007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.815{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000275006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.815{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.813{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000275004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.811{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000275003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.811{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000275002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.811{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000275001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.811{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000275000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.810{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000274999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.810{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000274998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.808{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000274997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.808{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000274996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.807{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000274995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.806{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000274994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.806{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000274993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.806{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000274992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.806{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000274991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.805{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.804{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000274989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.804{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000274988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.803{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.803{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000274986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.803{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.803{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.803{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.802{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.802{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.802{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.801{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000169125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.912{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8655BFADB7BA06C8BF7344F547DE31CF,SHA256=B640E009FAC9F69956A0F7ADA73C49AFDF2D400112D4D6D3F444DD2A5ACC8619,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000169124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.613{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.609{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.601{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.598{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.596{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.555{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.553{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.552{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.547{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.543{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.536{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.533{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.522{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.518{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.475{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.454{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.431{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.392{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.375{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.364{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.355{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.351{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.348{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.337{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.336{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.326{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.318{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.311{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.305{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.302{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.300{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.296{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.286{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.282{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.277{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.269{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.267{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.243{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.231{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.181{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.168{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.151{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.132{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.113{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.101{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.088{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.069{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.048{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.013{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:18.002{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 23542300x8000000000000000274979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.596{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0E1646566C767700B163B4C64D6714FC,SHA256=F08CC96CA7622DBA9D8C673B3AAE48E3A94B1FB781F92EB8BAB228E91EE6D034,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000274978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:15.614{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65498-false10.0.1.12-8000- 734700x8000000000000000274977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.377{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000274976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.374{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000274975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.373{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000274974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.152{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000274973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.151{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000274972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.151{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000274971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.150{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000274970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.149{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000274969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.148{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000274968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.148{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000274967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.141{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000274966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.141{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000274965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.141{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000274964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.141{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000274963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.140{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000274962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.140{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000274961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.140{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000274960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.140{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000274959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.140{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000274958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.140{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000274957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.140{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000274956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.139{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000274955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.139{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000274954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.139{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000274953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.139{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000274952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.139{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000274951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.139{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000274950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.139{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000274949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.139{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000274948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.138{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000274947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.138{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000274946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.138{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000274945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.138{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000274944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.137{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000274943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.137{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000274942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.137{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000274941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.136{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000274940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.136{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.136{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000274938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.135{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000274937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.133{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000274936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.133{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000274935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.132{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000274934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.132{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000274933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.132{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.132{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.132{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.131{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.131{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.131{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.129{6820D070-401E-6323-6F18-000000007402}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:18.015{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:19.012{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898D0CF52344ADC8D4DBE2B29DDA7F7B,SHA256=8B999072C7A866C34EB3B6BE264C9ACF21E3EB212C3B4AA83442CB9B9B339DA3,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000275089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.568{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000275088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.566{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000275087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.565{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000275086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:17.473{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65499-false10.0.1.12-8089- 23542300x8000000000000000275085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.504{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E5E5779883956EFD77C45B700F22D7,SHA256=525429014692BC967DE0791CB851AD518F2506E90FF054E89EB54D6BA90915C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000275084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.396{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000275083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.394{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000275082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.394{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000275081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.393{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000275080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.389{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000275079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.389{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000275078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.389{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000275077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.389{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000275076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.382{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000275075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.382{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000275074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.382{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000275073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.381{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000275072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.381{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000275071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.381{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000275070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.381{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000275069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.381{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000275068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.381{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000275067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.380{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000275066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.380{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000275065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.380{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000275064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.380{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000275063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.380{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000275062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.380{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000275061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.380{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000275060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.380{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000275059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.380{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000275058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.380{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000275057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.379{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000275056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.379{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000275055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.379{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.379{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000275053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.379{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000275052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.379{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000275051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.379{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000275050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.379{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000275049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.379{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000275048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.378{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000275047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.378{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000275046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.378{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000275045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.377{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000275044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.376{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.376{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000275042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.376{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000275041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.375{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.375{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000275039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.368{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.368{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.368{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.368{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.368{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.367{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.366{6820D070-401F-6323-7118-000000007402}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.173{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=057562E20222F62FC3CC43D960A60ADC,SHA256=23F4B9753383A108B391D85033DB8C35B858A383389EAE5CB6F6726F6E8EB3E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000275031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.028{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000275030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.028{6820D070-401E-6323-7018-000000007402}32367616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.028{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000275028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:19.027{6820D070-401E-6323-7018-000000007402}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000169131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:20.372{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:20.372{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:20.372{E743DC12-D54F-6322-0B00-000000007502}6283780C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:20.358{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000169127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:20.057{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14621FC226FABAF42540E3E727DBDFC2,SHA256=59000F4FB642A4F4DB08E8FFCBF61987D837B49646F46D5742BFA834E181D31B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.947{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E2C71A20828988EA7DCA9CC8FAECE0,SHA256=B7A37801BCC4ABC7F94B1826BD46C729A4BAF0CA53210774BAEC016ECD40C713,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.864{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.864{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.748{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000275202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.747{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000275201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.746{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000275200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.682{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCD6E5C61645EE3FEE6D48C342B409E,SHA256=1154B7C0256E9B1DFC6E7B14377E98B57306A52E7B07F63C15A404FCF932820F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.676{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.676{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.676{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.675{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.675{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.675{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 734700x8000000000000000275193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.572{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000275192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.571{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000275191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.570{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000275190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.570{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000275189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.568{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000275188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.568{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000275187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.568{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000275186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.567{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000275185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.560{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000275184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.560{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000275183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.559{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000275182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.558{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000275181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.558{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000275180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.558{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000275179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.558{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000275178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.557{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.557{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000275176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.557{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000275175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.557{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000275174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.557{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000275173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.556{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000275172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.554{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000275171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.554{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000275170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.554{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000275169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.554{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000275168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.554{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000275167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.553{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000275166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.553{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000275165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.553{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000275164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.553{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000275163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.552{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000275162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.552{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000275161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.552{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000275160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.552{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000275159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.552{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000275158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.552{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000275157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.551{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.550{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000275155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.550{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000275154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.549{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.549{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000275152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.549{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.549{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.548{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.548{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.548{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.548{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.547{6820D070-4020-6323-7318-000000007402}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000275145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.437{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.437{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.426{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.426{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.258{6820D070-4020-6323-7218-000000007402}25963184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.258{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000275139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.257{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000275138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.050{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000275137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.050{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000275136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.049{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000275135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.048{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000275134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.047{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000275133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.047{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000275132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.046{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000275131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.046{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000275130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.045{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000275129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.039{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000275128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.036{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000275127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.036{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000275126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.036{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000275125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.035{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000275124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.035{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000275123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.035{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000275122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.035{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000275121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.035{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000275120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.035{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000275119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.035{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000275118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.035{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000275117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.034{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000275116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.034{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000275115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.034{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000275114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.033{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000275113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.033{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000275112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.033{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000275111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.033{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000275110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.032{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000275109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.032{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000275108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.032{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000275107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.032{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000275106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.031{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000275105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.031{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000275104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.031{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.031{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000275102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.030{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.029{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000275100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.028{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.029{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000275098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.028{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.028{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000275096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.028{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.027{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.027{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.027{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.027{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.026{6820D070-4020-6323-7218-000000007402}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.024{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A80171A955C31FC826305EA9DD185C6,SHA256=5C83F422FD4D973E88CB71237922EF1A44CAA13CAA23D88E5AE285FB08DE2769,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:21.446{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A6E01A7CF2BC805B9FFBEA76561E4AFC,SHA256=D67AE0B3300AFD0D67005AAE28CCFA94725434C7F7A2DA2B2D08771C4EFA9E54,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000169133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:17.938{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55364-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:21.128{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1257FDF5D4C60159C8C1FEDF1AD93605,SHA256=9B1CDDD54F887C5688C26CC23A1C26CD27E87036F51E95A2E3094F30E119A04D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000275311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.932{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000275310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.931{6820D070-4021-6323-7518-000000007402}26803208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.931{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000275308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.930{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000275307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.860{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA77B2F7D5B5360BDC31DBC2B996F3E,SHA256=2F75018A9F9AB17310C9BB1F3DB163C3E3A876E9F8C9FEFA1220371DADC569FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000275306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.750{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000275305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.749{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000275304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.749{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000275303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.748{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000275302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.746{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000275301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.746{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000275300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.745{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000275299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.745{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000275298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.739{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000275297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.739{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000275296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.738{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000275295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.738{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000275294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.738{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000275293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.737{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000275292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.737{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000275291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.737{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000275290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.737{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.737{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000275288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.737{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000275287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.737{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000275286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.737{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000275285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.736{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000275284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.736{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000275283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.736{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000275282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.736{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000275281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.736{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000275280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.736{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000275279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.735{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000275278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.735{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000275277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.735{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000275276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.734{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000275275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.734{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000275274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.734{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000275273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.734{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000275272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.733{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000275271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.732{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.732{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000275269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.731{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000275268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.730{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.729{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000275266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.728{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.728{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.728{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.727{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.727{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.727{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.726{6820D070-4021-6323-7518-000000007402}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000275259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.426{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000275258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.425{6820D070-4021-6323-7418-000000007402}56083916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.418{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000275256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.417{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000275255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.231{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000275254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.230{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000275253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.230{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000275252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.229{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000275251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.228{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000275250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.228{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000275249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.227{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000275248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.227{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000275247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.219{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000275246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.219{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000275245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.219{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000275244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.218{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000275243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.218{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000275242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.218{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000275241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.218{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000275240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.218{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000275239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.217{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.217{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000275237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.217{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000275236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.217{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000275235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.217{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000275234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.217{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000275233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.217{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000275232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.217{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000275231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.217{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000275230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.217{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000275229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.216{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000275228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.216{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000275227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.216{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000275226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.216{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000275225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.216{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000275224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.216{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000275223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.216{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000275222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.216{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000275221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.216{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000275220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.215{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000275219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.214{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.213{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000275217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.213{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000275216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.212{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.212{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000275214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.211{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.211{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.211{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.211{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.210{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.210{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.209{6820D070-4021-6323-7418-000000007402}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:21.147{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CCF74C7856392D38D1EA0DDD066A0E,SHA256=3D92C2C6D731BC019C5B9D82B27003C3633A238A0F2520A461754379D3EFC625,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000275313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:20.625{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65500-false10.0.1.12-8000- 23542300x8000000000000000275312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:22.378{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0CA372D6BF1912C9C357C34F577F71,SHA256=2688B5EF761DD0D3324ED925D55964D78B5254014F8CBE80A553115AC6E89894,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:22.531{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:22.161{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA70AF7BF5B96C3EBC3A3DD0318A7C65,SHA256=F5B76F9EA04C3BFE8FD9D295566F19728A7EC2A3F5D711D7521ED2C7715DBE5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:23.186{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B088D2B46E18005B6C4209176F26FE,SHA256=8C0C70977024F9F18EF81E6FA5DE618B60DDDCEBE2B3433F2C49D0B13EC30775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:23.424{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469C6CC379799C79B9E2DA58FD7656FB,SHA256=173E34B2E3280DD32F0A3F4069D87026F73D05AF817CEFB85F05D44EAB25642D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:23.234{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=382A820A894311C510F983962595231B,SHA256=0AA7ECD4BBAC650B8C73B18E4A867487BD5D731466CBE197885283D32A7D7CB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:23.174{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2EC-6322-0100-000000007402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000169139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:21.359{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55365-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000169138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:24.317{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A72EF093954B64C809D740B0382F0F,SHA256=743623AC6A246DA7D6DF7AB05CD0BC121C00B87C3EB1B4EF03F19E7BDC4D9319,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:22.645{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65501-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000275319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:22.645{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65501-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 23542300x8000000000000000275318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:24.434{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6314AEAB2BDD09DCEE60C567FFCEEFA8,SHA256=19AAC68F3979630F1C40D63E8E43EFD904AD9319B49B23399F789B11F9F51CFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:24.221{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5078E516CE7B319FE804720E93C127A3,SHA256=1CA324C7763D57AF237C6EDDE15220D745D3BDCB172A9330789943AD991C3217,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:25.365{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B83B19BCC6A19A1A7A3F659D4C4430,SHA256=6B1505CF7021CA2F960A46E160556E31CD97FF9AE8A099EFAA601F4717F3D9F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.646{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.645{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000275342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.456{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FE9C9FBE8D3E17C159F516829BA9AB,SHA256=A6E893C8C404EBDAEEB9E0138483C8BCB8558324BF417B45C023BA9DB59E542E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.259{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.252{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.242{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.237{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.231{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.228{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.226{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.224{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.219{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.187{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.171{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.166{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.158{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.149{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.142{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.132{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.125{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.116{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.109{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.074{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:25.070{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:26.519{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:26.519{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:26.474{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D9803C8AD029219D6AB78F750DAB320,SHA256=AE8ACAD3DB5FEF08E1F4D092E23BE0F695B8E70F5F8598CCC80DFD7518871318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:26.455{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F6AA48528616A6E337DEF3DAE9BE34,SHA256=8BC98EDF40A36F496A2DEEC7D9D78EF69EE15FA0BA17F00B06F0AC333C22CC6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:27.555{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4618E7043A0B0D9994FBCF19C814CB,SHA256=8AA45B2FB2FE545661202964D69E305C56CCD43C6483A100CE240A3736055F78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000169142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:23.930{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55366-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000275354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:27.659{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:27.658{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:27.653{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:27.651{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:27.600{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:27.600{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:27.581{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3662900D582817308A1AE3F17D9C75C0,SHA256=ACF97B884417E7725BFF79812FFCBD6C32684AB4EF62A5A67AC69CBEEED4A7E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:28.538{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089F2A574BC7282EB73E09C07EF47CDF,SHA256=409F4F0A64F9F32AB433FDBD916B2F799D43CDBC1960C05EA4BBBF5680BB1252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.609{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567F65D53FCB19F2E74D1C4F4807A164,SHA256=01083E5C0F31E726ED70D4575ABCABC13B7779012FCCCC3E1A0DD769E0615A43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000275406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:26.579{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65502-false10.0.1.12-8000- 23542300x8000000000000000275405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.519{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1BA7191AB330A605E2E11B508CBF0F,SHA256=530001E65AD37E2ABA98E8440AB708BAD0AC7498BEF5D94FEB4F29CF2AB6EE69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.478{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.476{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.473{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.470{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.467{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.462{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.461{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.440{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.437{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.434{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.432{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.428{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.422{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.419{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.415{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.411{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.410{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.410{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.408{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.389{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.388{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.385{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.383{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.368{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.361{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.359{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.357{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.354{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.352{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.352{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.349{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.341{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.330{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.328{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.293{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.291{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.272{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.262{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.215{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.205{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.195{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.186{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.184{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.181{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.177{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.174{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.173{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.168{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.167{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:28.165{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000275408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:29.619{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545A5E79E7158C51BEE8794DD5685EE9,SHA256=040460E08D631D18177AA155E7D2D105BEC3D190E4AB50D0BDCCB44BF8A0DF5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:29.638{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D34F0BC66EC31D9A60DFDF0920C8ED,SHA256=2B7936956D252431C9B5ADF811D042599D2196E601877AA81B00D2AFC2F7A9B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:30.739{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC3E38A8F5B6B7AA83E84A1ABA5A354,SHA256=77D5DA0382006D75F51BD14779BA284A06920F3A1AB72DAE0208867DD65B3446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:30.831{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36691DD3CB5FA2ADA338C3B48E49B560,SHA256=18AD15DCE7788711B71C63AA9791A7C9351BA1306BD9499F2AD68B25FB4FF203,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:30.809{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:30.809{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:30.799{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:30.799{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000169147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:31.857{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A05F8DDA7DEA6F581109E67A9CEFDF4,SHA256=B01E2135172BDDD50421AA243AAC7B055FCC0CC783CF0A4A19DA70CCF04F0E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:31.841{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328A83A1D0A21E1270ACB645B7E421E8,SHA256=CAE2B28B9B1FAB3F65DCD4AC1062B9E76069A559EA484220449999BB9DA2942C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:31.539{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:31.539{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:31.324{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F98F45117ACF0C291BA286A0686E043D,SHA256=1803B710207ABF7A30D59F54E9F1F5830FE1C2287B2AA800F3B1B82EA89E37EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:32.971{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B29D22C695EF292E5BC1909273A4A7,SHA256=A81D021A11064336272B0EFD8ADB2D3D8A2FA98DDC58BFD1696C9D8F9E3975A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:32.851{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DCBF24BE21409A5F7EB3C44CD8BB49,SHA256=69C7110E496CA33DDED9B0662B4106A58A7ED98295BED9B3E39493C6F06922A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:29.017{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55367-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000275418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:30.745{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse167.172.238.127-43596-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local80http 23542300x8000000000000000275421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:33.961{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AEB142DD537FAB052EAE3E965CC662,SHA256=E42F752A36B196DAC0DF1360522A90E49CFA2FA4FE199B718E52592B78C89C3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000275420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:31.711{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65503-false10.0.1.12-8000- 23542300x8000000000000000275425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:34.973{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD821E4608F0481D79B3C4DD0498947,SHA256=EAEFD524333085B351317098158F6764473CAEF61C23CD4879A3BE598A83C712,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:34.109{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC38BAD428E19F61D0B05B8755BC69D,SHA256=41DD7B36AFD465E8913ACDC633C2AAB7777D7A04CB761401A5F5BA08D8819F8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:31.933{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-57771-false127.0.0.1-53domain 354300x8000000000000000275423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:31.924{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57771- 354300x8000000000000000275422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:31.924{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:9820:2527:8c94:ffff-57771-true7f00:1:0:0:0:0:0:0-53domain 23542300x8000000000000000169151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:35.173{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B561AE5DB0DAB01E45D7C3FE06C623B9,SHA256=C465D808D67C2C38BC31AE5A8A17F2153B7F2E22E5CE68E3AC7E882A3E326CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:35.110{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96B57DA965C17FC02D81B0D59E3D99D8,SHA256=81E79EE19C4582854EC133299CB6094CA58FD32BB7793C7701173E3188F239C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:34.058{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55368-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:36.273{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5329B5ADFD1162943A93DDD1851F1137,SHA256=8282D41488BE97049DDB38A7FCC3C8735FF81AD95201C2490D2CE6692FB361B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:36.771{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000275429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:36.770{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:36.770{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1aad568.TMPMD5=AE83E3D1BED7E22F099EC37882555B7F,SHA256=19C20C1DAA5B1C1F7E9A0561569A10ABB7DBF1B544D26F74C2B5990D9C688508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:36.084{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C576294717F8B2F16DB65C2C8C9F6B1F,SHA256=68B62B826D3ECCD0251FB563A1A1F1D1F38370DF2ED8C7B5211643CDA5FF3043,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:37.990{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:37.978{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:37.968{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:37.965{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000169155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:37.474{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:37.372{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5720F33FBB3A495DAACC02D589381425,SHA256=3B2115C27BAAEF9D4E76A3576623778C9A6EF69F7A8DB8A15025E78DB1F07D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:37.294{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDC692A8A90FAD29A1718AC4D1FDBDC,SHA256=545346EFF13A8751E40DCD8FBBED84CD72E3103C19B746698FFD9CC4EFF06467,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:37.008{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:37.008{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000169206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.844{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7607A54104B609E366687074BF87C9,SHA256=B287202EEA5B43D5E26BAD939B8E5EF9591320A3BB7549F31C05B73A5CE4BF5B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000275441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:38.925{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=7294744A8618ADCFB97F6CC9B06781BF,SHA256=9CBA204AECE064C4E8AA5C1E8D7C17EA054A47B315D8CEEFA1C206395E5E32D7,IMPHASH=5CB0004DB7090241A0C06F1853D02144trueMicrosoft WindowsValid 734700x8000000000000000275440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:38.814{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.5127_none_f67513fcf253b94f\GdiPlus.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=6EDB43C233D76CB312D42C21716962E5,SHA256=19DD51B9B6B8371291C41DFD76B69995953A062A1701EEF302CE44C68599171A,IMPHASH=7693D57C38FF80D4013B00CECB7C64E3trueMicrosoft WindowsValid 734700x8000000000000000275439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:38.816{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationAccessibility.dllMD5=B2E013306A84513CA912FF6DE4F53C4F,SHA256=AB56D0A7507FBBB187D165BAA5046F210D14D18FCDBCFE494EF7794843917F97,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000275438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:38.748{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=AC951CC1306C73767A05F04BFC916CD8,SHA256=5FE28B70168433EF1C6DDE3CB1BE43A1A614508C37BC9C32F2051E5BA341C6C3,IMPHASH=EF37C47ACC74D5DC3737EEE137193A8DtrueMicrosoft WindowsValid 734700x8000000000000000275437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:38.777{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationAccessibility.dllMD5=B2E013306A84513CA912FF6DE4F53C4F,SHA256=AB56D0A7507FBBB187D165BAA5046F210D14D18FCDBCFE494EF7794843917F97,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000275436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:38.777{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationAccessibility.dllMD5=B2E013306A84513CA912FF6DE4F53C4F,SHA256=AB56D0A7507FBBB187D165BAA5046F210D14D18FCDBCFE494EF7794843917F97,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000275435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:38.753{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85,IMPHASH=60EA58ED63BD25EC1709F72F112B0086trueMicrosoft WindowsValid 23542300x8000000000000000275434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:38.304{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219A0DE64558A163DFFD56326F144A87,SHA256=0D5482FD4CE23AD19F325092F9D6CF5D993FC01350E0E8DCA05C6ADD084739FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.336{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.333{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.331{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.327{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.326{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.313{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.311{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.310{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.307{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.304{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.301{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.298{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.290{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.286{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.265{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.251{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.236{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.210{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.202{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.189{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.184{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.181{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.179{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.176{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.176{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.173{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.169{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.169{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.167{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.165{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.163{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.161{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.156{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.153{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.149{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.140{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.131{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.115{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.106{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.064{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.057{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.048{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.035{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.018{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:38.012{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000169160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:37.999{E743DC12-DCF5-6322-7D03-000000007502}55365752C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000169207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:39.863{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C02BDB829A27F4327461A688672DCF,SHA256=1932936567319792A2271EA19CA164FC621A85BC98C62BDCF3BA93FB6555A7B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:37.570{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65504-false10.0.1.12-8000- 23542300x8000000000000000275442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:39.317{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC92F8D0FC7EBC31C33B180C239350F,SHA256=751F63315C8A38DB2EADF0882345E553919B70AD10F6E4D0E7C262C71C6FF2C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:40.948{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4699ECD79C06FB8ECD266E29D2240127,SHA256=90E85303B9453F91A58237F4FB4A18CE7D9EF70A4E942BE3B5B98F0493AC4083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:40.428{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A654219C10F52F7884BDD08ACD26F14C,SHA256=A7C3200B994F04EF19A7BF29C00DAE6BB7B3BB06C8EED9AD6065785111B33E3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:40.263{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=96E7AB7321B0C351A0E89C2DFABB49EE,SHA256=ACC2F5DC7DE62807BBE38C39B682C5CAD5A0827833FD6CBC74A22B2CCBCC736E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:41.436{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61DC7D4EC5FC7A847232DE1445D5368,SHA256=A95EB6D6C6ACC2CC2027EB4AC37891E2B957327105445FD6B38009B91EB91FDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:42.548{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:42.548{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:42.445{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9498DDFA36EEAF4B257E14053C7E7FA,SHA256=FFDD1100133FE623CCBCDB930B748EE1E7047FFDD8502D92578FAB55B348C80C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:42.032{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29B7AD7A595BD5850AE9C2C6056FD6B,SHA256=425869BA0C7D42F84247B1F70C688C14463620C20BC26C2C05B6AEF7593087D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:43.618{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:43.618{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:43.453{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9479AC14832ACC97AD912783EB533567,SHA256=1480F4C3F21398A87456F31778BE0D265FF48DE3EBC12D11746F264EDDE9D11E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:39.975{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55369-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:43.133{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD460B3CA58871CF2CE8E2B62CEAB0E,SHA256=7A3C86088E22C39D4C544ED4AAF1EF70644AC4F43B544A583214CC904F0504CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:44.463{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA567D0F0DA2DEAD64ABB3BEA2B35210,SHA256=C50B44BDB887F98D62E94D1A4709C505F07E5CFD004DD8A40C4C74A50902E15F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:44.250{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E065603F5BB13A9E5B21D31A92E74DC0,SHA256=CA250726CD3458E2F50B2A2516975EEC6E7D1025496A7D7DEE1D6893DD6436E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.764{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.763{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 23542300x8000000000000000275474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.584{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926EA267433C9FBC4E94C3F5B94E87CC,SHA256=B4D5C248D79B6FE74A295C989F8781FA837209D5E540A429EC5FD0391508E71C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:45.335{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7C0297F7545525E28C91BAF72F086F,SHA256=3E85E603B2DDDD15511361C1F2D1BD7F02CAF20BF1F923A9C7B6807D1ED474F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.342{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.333{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.320{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.317{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.308{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.302{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.296{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.294{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.288{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.259{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.226{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.221{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.213{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.204{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.188{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.173{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.155{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.142{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.128{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.083{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.080{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 23542300x8000000000000000275480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:46.595{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A78520785AE8D979639AAF174D81E45,SHA256=FBEBA29CA5229D3496C2C929BCFE3C1D94DD68B169B15F94C9D881D422EEAD6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:46.352{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9684524BD59998B3F4D47057D7E5A5E3,SHA256=13AB1471BBB360DA185DF1E4C4065956BC72EB7583326675FA6A60DE9AA8A7CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:43.482{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65505-false10.0.1.12-8000- 10341000x8000000000000000275478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:46.023{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:46.022{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:47.805{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4326D49934901A1AA51F9883793FCF,SHA256=A3960C5270432DA8CB8BFDD4198580E2AFA9142F653D83EFB63037E6C1013E40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:47.781{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:47.778{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:47.771{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:47.768{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000169224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:47.721{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-403B-6323-8B0F-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:47.721{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:47.721{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:47.721{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:47.721{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:47.721{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-403B-6323-8B0F-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000169218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:47.721{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-403B-6323-8B0F-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000169217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:47.722{E743DC12-403B-6323-8B0F-000000007502}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000169216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:47.470{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB56B087D9656F1C5E27D234502B928,SHA256=20BC4742927F579611CB0D49E0BC32D370F098F600C5F69450D454F0EDFD2B3D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000275489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:47.732{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000275488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:47.731{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000275487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:47.729{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000275486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:47.727{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000275485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:47.726{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000275484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:47.726{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000275483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:47.722{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000275482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.496{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local65506-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000275481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:45.496{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local65506-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000169236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:45.964{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55370-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:48.838{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0250DD788630621D0127C7868AFA99EC,SHA256=702884AD162E948ED7671EA95D0AC1EBB31190BE1EB7597767775189BD9F3700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:48.647{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=813440BB9A4439D7D0D271E74816E3D9,SHA256=FBEC3B445C60881B9DD17DB60917D59630BF4E29430558A44E5D7D28632B8D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:48.554{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9D82F6DB50ACCC8C3513521C8D88C3,SHA256=902FEF63B6E4CA0C9F560B0847D001FDC74930DE3E87840D11857AABBC0701BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.626{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.623{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.620{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.614{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.610{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.605{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.602{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.572{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.569{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.565{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.563{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.559{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.554{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.549{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.544{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.542{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.541{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.540{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.538{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.516{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.513{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.509{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.503{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.490{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.487{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.484{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.481{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.478{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.477{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.477{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.474{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.472{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.460{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.458{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.424{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.421{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.403{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.392{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.339{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.329{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.315{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.310{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.307{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.303{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.300{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.297{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.294{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.290{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.288{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000275495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.286{6820D070-DD11-6322-8606-000000007402}52806320C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017534610) 10341000x8000000000000000169232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:48.385{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-403C-6323-8C0F-000000007502}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:48.385{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:48.385{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:48.385{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:48.385{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:48.385{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-403C-6323-8C0F-000000007502}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000169226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:48.385{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-403C-6323-8C0F-000000007502}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000169225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:48.385{E743DC12-403C-6323-8C0F-000000007502}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000169254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.736{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-403D-6323-8E0F-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.734{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.734{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.734{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.733{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.733{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-403D-6323-8E0F-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000169248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.733{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-403D-6323-8E0F-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000169247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.732{E743DC12-403D-6323-8E0F-000000007502}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000169246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.645{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54AF773AD6037C219DC3753C38176940,SHA256=490F4AF8C73F35643E0A259288D87651CE39E79297A5E730730819B1B16FF474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:49.015{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B146F3709C732671BD81BDD49095CA,SHA256=CFA94B70B55417EF19A420BE1B9448293DF25C1E8CA60F98A37C80FBB8C33AE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:49.012{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17AF20E625E8FF3246B4103B0B4F3FEE,SHA256=091559BD5128F2470E01ED48BF9D4DECE82C9E1C6A2677208BE5C996C25B2FEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.223{E743DC12-403D-6323-8D0F-000000007502}4100964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.059{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-403D-6323-8D0F-000000007502}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.056{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.056{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.056{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.056{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.055{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-403D-6323-8D0F-000000007502}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000169238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.055{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-403D-6323-8D0F-000000007502}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000169237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:49.054{E743DC12-403D-6323-8D0F-000000007502}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000169273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.877{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-403E-6323-900F-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.875{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.875{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.875{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.874{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.874{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-403E-6323-900F-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000169267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.874{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-403E-6323-900F-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000169266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.872{E743DC12-403E-6323-900F-000000007502}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000169265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.711{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33AF7627FE47A544F930A02EC4049A3F,SHA256=EB880B8DC07DC136BA96A1878CF9C20EA0A1EE40F07955EF025C245E354B83E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.669{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CF20034FAA0750C49EEAD9BD2A74FC88,SHA256=EE89977F0FFBB39519329A9944D0839501D1E4092EA55B26F0B9E94A25EEAC2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:48.650{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65507-false10.0.1.12-8000- 23542300x8000000000000000275547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:50.028{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3982D4B4E190134B07D9539D30E1F463,SHA256=EE26BD7C03D28F1DDCB7D04C6C17E0454961AC17361ED916F8B03BC3327B5C8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.502{E743DC12-403E-6323-8F0F-000000007502}31484564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.277{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-403E-6323-8F0F-000000007502}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.274{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.274{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.273{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-403E-6323-8F0F-000000007502}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000169258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.273{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.273{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.273{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-403E-6323-8F0F-000000007502}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000169255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:50.272{E743DC12-403E-6323-8F0F-000000007502}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000169284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:51.681{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A339409C495EF815159E74B61B661A,SHA256=5845EE77D1A3203089993E07BB0237A83F5C75B10583AE0F6D4673C94961341A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:51.488{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:51.488{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:51.464{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:51.464{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:51.239{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD67BFC0C5D4D2F2A365C66643BAA36,SHA256=E1561E1CED0CCA82CC8E186663F13E18DDBBC004430B161F205124DF95D78A22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:51.655{E743DC12-403F-6323-910F-000000007502}23245184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:51.477{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-403F-6323-910F-000000007502}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:51.474{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:51.474{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:51.474{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:51.474{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:51.474{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-403F-6323-910F-000000007502}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000169276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:51.473{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-403F-6323-910F-000000007502}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000169275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:51.472{E743DC12-403F-6323-910F-000000007502}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000169274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:51.071{E743DC12-403E-6323-900F-000000007502}51641792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000169285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:52.782{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505EE1AC6FFAC91BACD687D67F7A1FAC,SHA256=E6AA5549854D3971F7EE8B9A601310CE78145FBA0DB1947243B8BDC7A42921BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:52.252{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8142AD8482037C99852B4B2B030F688D,SHA256=24676795FE31B4BB374AE236BD2975A2F00CC2B7CE258D6704AD6EE454C11D60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:53.890{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648489263371D8DFBA786580F6300034,SHA256=B793C328B92A40C71F6667A5124A13CEFFD9B7A618A39DB4EF9027F59F2E406E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:53.439{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9DC6001A9CA166939536E9BF35521407,SHA256=23344106313E3D942C17204A8376514473EA2C2F408440A3C21784528B03AFD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:53.263{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F41416CCED7CC16CBEC1BD0D4DAB92,SHA256=8DE0B87C15152866AC3E5FC94ED520232446292E64A06575526E640366F3753C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:54.271{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CAEF850902A8A4A7838244D21A618B,SHA256=35FC48CA53A67CA161D0AC6ADA9B52B302B74B8412CCAA3EE616F917E506E2EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:51.068{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55371-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000275557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:54.251{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.997{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(00000000011234C4)|UNKNOWN(00000000011233F4)|UNKNOWN(00000000011233CB)|UNKNOWN(0000000000E9D11C)|UNKNOWN(0000000001140E76)|UNKNOWN(000000000981FA09)|UNKNOWN(000000000981F9D5)|UNKNOWN(000000000947AA1C)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 10341000x8000000000000000275579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.672{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0A00-000000007402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.672{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0A00-000000007402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.671{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0A00-000000007402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.671{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0A00-000000007402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.669{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.669{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.669{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0A00-000000007402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.669{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0A00-000000007402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.667{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.667{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.664{6820D070-D2EE-6322-0B00-000000007402}628804C:\Windows\system32\lsass.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000275568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:53.712{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65508-false10.0.1.12-8000- 23542300x8000000000000000275567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.283{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A02FF48840DC8EBA7FB604EC7D7CA8,SHA256=4E8A4E9A9D00C6534D94B539CE40734BD2808E27663DEA36699BD1E6DFEFF535,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:55.006{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4419F95C81181CDE452F3B3F3F4B54A0,SHA256=BF3F6172E5E99F5E8D6E07AEB913C5BB0BD93CE3FD5257B6C0BA8B3845071005,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.181{6820D070-D2EE-6322-0B00-000000007402}628804C:\Windows\system32\lsass.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.037{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.030{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.026{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.025{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.025{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.023{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.020{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:56.605{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=551E411C07342E9EF124BFF29B0014D3,SHA256=AA28D3D854BFBF90C0490F614B84E118C4967FC5BB68D0032B42C718CDF280FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:56.495{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\30337MD5=BF53EE5F1BE6C89163B8E375BA9A6424,SHA256=677782C1AA3D0DA5261521CD1BA7FE82AC063D645DC64A6EF33CD9E721FA5124,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:56.405{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DF55A48D3A4C3749D383CA721E237C,SHA256=0611A451F26DF88BC6C26E0A272D1A2F5287CABEDB806AE35DE785175078C908,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:56.128{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18A2DDB8CA228595CFA5E1B9243ACCD,SHA256=24397D957BAC81B62A5C8E388BA80E892BF16676A279D80278739DD51085D843,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:56.166{6820D070-D2EE-6322-0B00-000000007402}628804C:\Windows\system32\lsass.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:57.419{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3372A5B0A13DE111D0C62B220975BED9,SHA256=24E7D685C7E741D340CB9EE8D2B0031433687E4DE59BF8CE3EBE28A5D440DF0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:57.993{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:57.975{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:57.965{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:57.962{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 23542300x8000000000000000169290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:57.245{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336379A499439B99F775F35836750554,SHA256=9016A7EBDAC91956DAFE9FD03DB501968CCFD720E5AEA5040B9672394EFFDAE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.758{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-65517-false127.0.0.1-5000- 354300x8000000000000000275601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.758{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-65517-false127.0.0.1-5000- 354300x8000000000000000275600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.754{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-65516-false127.0.0.1-25smtp 354300x8000000000000000275599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.754{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-65516-false127.0.0.1-25smtp 354300x8000000000000000275598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.721{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-65515-false127.0.0.1-25smtp 354300x8000000000000000275597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.721{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-65515-false127.0.0.1-25smtp 354300x8000000000000000275596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.691{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-65514-false127.0.0.1-25smtp 354300x8000000000000000275595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.690{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-65514-false127.0.0.1-25smtp 354300x8000000000000000275594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.671{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-65513-false127.0.0.1-25smtp 354300x8000000000000000275593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.671{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-65513-false127.0.0.1-25smtp 354300x8000000000000000275592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.663{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-65512-false127.0.0.1-25smtp 354300x8000000000000000275591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.663{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-65512-false127.0.0.1-25smtp 354300x8000000000000000275590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.644{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-65511-false127.0.0.1-25smtp 354300x8000000000000000275589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.644{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-65511-false127.0.0.1-25smtp 354300x8000000000000000275588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.628{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-65510-false127.0.0.1-25smtp 354300x8000000000000000275587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.628{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-65510-false127.0.0.1-25smtp 354300x8000000000000000275586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.522{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-65509-false127.0.0.1-25smtp 354300x8000000000000000275585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:55.522{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-65509-false127.0.0.1-25smtp 23542300x8000000000000000275604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:58.630{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DC06A0B1531738318B0DB4B702080A,SHA256=12F8AD41820125116739F035966B515134E97D75C5D9EDFEC5A92C13B7EA8733,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:56.088{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55372-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.389{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC2E7072AE31AFB07820F5BB753AE80,SHA256=A9CED82AF0472E62AF88141FCA727FEAFD9768E31B6C126F073FBB4173566644,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000169341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.350{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.348{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.346{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.344{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.342{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.328{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.327{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.327{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.323{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.321{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.318{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.315{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.308{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.306{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.288{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.276{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.266{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.243{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.234{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.216{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.208{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.205{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.201{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.198{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.197{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.185{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.176{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.175{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.172{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.171{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.169{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.167{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.161{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.156{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.152{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.146{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.144{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.123{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.112{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.072{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.062{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.051{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.038{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 23542300x8000000000000000169298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.023{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-444MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000169297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.023{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.017{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 10341000x8000000000000000169295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:58.006{E743DC12-DCF5-6322-7D03-000000007502}55365824C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC3D0) 23542300x8000000000000000275605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:59.736{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1482DCA2B76143BEC3CB6A5BC58F63,SHA256=DC1E259188B4EB15B46DF051E512BA1A3CC9D5A73A67554C002F71D147A9E361,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:59.389{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62ECC47A44385F0B53D83F69A1B8C55E,SHA256=0A2D0EEAD0EF957F0A28D3F9E23B58D4FF51B3DABF463E8E066C94D37F7DE509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:09:59.035{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-445MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:00.565{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F0BED3D86CA8A52BF0C80FC26DB48B,SHA256=569B6B7BD54BEF1612C891B394AD982AF722894993D38C62BED7A9B70BBBA664,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:09:58.717{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65518-false10.0.1.12-8000- 23542300x8000000000000000275606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:00.008{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=81F1623E1911A535E194F5E52C8C1F17,SHA256=7569882426F1D9B69A7AE27DB32DB466EFA1B0E4B697B97948B57CE9374A903B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.635{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2011547B75D45895B63D85E8AEC61BE7,SHA256=A9624396B43C584871A4668C75FC089CA76985D6EE85EF10DF0E6311D2C81D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.148{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\32369MD5=977581BFE7798967BE6FF681A9416B5E,SHA256=F7F69388B9C80D9F28C58000AB195F3508243327784CB6BA38E81C17E1BC753D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.148{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\2979MD5=FD2C7285C2654DA2EFEF7534D0BDF547,SHA256=06DBDEAC873CE1E8647AB3DA330EFA51EFC41FB0C96E6B01F3AF0EA1857EAA3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.147{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\9734MD5=977581BFE7798967BE6FF681A9416B5E,SHA256=F7F69388B9C80D9F28C58000AB195F3508243327784CB6BA38E81C17E1BC753D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.146{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\9846MD5=DD20AC654B88B32FD6716B326BE6546D,SHA256=772D9B228CB75401F7773E46F5C17311F9B42C75E87F2AE416E6FC65BD8A5BB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.146{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\29552MD5=FD2C7285C2654DA2EFEF7534D0BDF547,SHA256=06DBDEAC873CE1E8647AB3DA330EFA51EFC41FB0C96E6B01F3AF0EA1857EAA3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.143{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\7366MD5=977581BFE7798967BE6FF681A9416B5E,SHA256=F7F69388B9C80D9F28C58000AB195F3508243327784CB6BA38E81C17E1BC753D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.142{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\14234MD5=5EB5882BBE115DB7CD674519A7D63FE8,SHA256=5F35C07C937B8000E1B8E9639009337EAE02A248EF5D4500913E8CC807408DF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.142{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\17500MD5=14D0B4B97DADA79C86FE76DA67EF95D4,SHA256=C41353E7BE00CAE3C492A3364FD7C2EFB7E7186048CA2FB897312E940E180364,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.141{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\14458MD5=6EC9DDC6F116B8445F0C77ABF28EACF3,SHA256=5E66181AD76F2E62CCB0EA09599276B92AACC3D9CD8B3A87A3AC3F7B383ECC8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.140{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\21438MD5=315AE64A7B7E953FFD002CA927750F7C,SHA256=221A7FC605C960F453583D84AD3FD80A05668C7B0180FD5C7D0F26654D1DAF59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.140{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\1620MD5=C0214F91C3CD90EB931E8789832CB8E3,SHA256=928620E1C3AF9FD37EB755F5EB56B8D3B4E6739C2116901160663A154511D837,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.139{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\28643MD5=E2D7778D53EE7AEEDF6EB4D61548D476,SHA256=CCCBE7EA515272CA328F55FD5B40C88A544CC4552263BC997A0519A5298DA50B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.139{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\9162MD5=9EF4489736E2BE0C56FD25C600A9E911,SHA256=D47572B53BD796A4B420A5BD60B538C7468A0E11F16DEB566F913AABAC47419C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.138{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\9386MD5=4B53DE46CDE50293A46B158397108989,SHA256=0DDE3B50FA95A5354333DF1DCE8453C7BABFAB67A50A8E7C4D991B6C02985D96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.138{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\13325MD5=FC0A10F7621F8188C439E81BA295A8CB,SHA256=8A46BDADCA8F611F35E08A5E0C97AABBB8D26B4EBBC9F756AF1AFBB0B52C873F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.137{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\4201MD5=072AE7E28CBDCE6412BCD4D1113EFCB8,SHA256=8FEAB89E9C6078345B009AE64AE602D90342C02F109922FE9C7330AED691B4E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.137{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\17488MD5=8962C9BA92C75977257822067E19B2BE,SHA256=7818B8B5ABBB0A435FC1206ADA3987FDE115EE1E201E1949700F69EB64289C91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:01.043{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD154648B03C4A7D6B61955D2E876BF,SHA256=6BF4CC51536136DB0DC48EA4795EFBDBA513ECBDF293C81E3472151AE0787512,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000169378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 15:10:01.413{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8c915-0x3a209439) 10341000x8000000000000000169377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.366{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000169380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:02.699{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85BF17BAF68B1621230524BC5DA0F8A3,SHA256=2B1C573C6D64C1232C8941CB96B966684A681497671D5AD008798D4569AF0615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:02.570{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:02.570{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:02.152{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC17164165E9D8ED17B746ECB7BA431,SHA256=A1E26C48D7BE066104D6CB8910923F7AA51FFC69A2F6F5F561A41C22260D4D37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:03.787{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B610A8A03891B71BB71CA395888ABD4,SHA256=A552006468F4855661181AD8C048F3DE55203449BF9D71AD8F992089E418A630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:03.262{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50793EDDCD2C301A559F0D2C610913D1,SHA256=3BFEB8665D86B8DE6B40E33CF456FA01E9F7EE5419285876659B4CBB6710CA6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:00.239{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000169384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:04.887{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2902037B4E5BA427AC5BA5A1CA208F3F,SHA256=5B7B8AA39F6536A8EA56EFC40B0C18E4EC1A57428E1DF35948606B92DA33CA91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000169383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:01.958{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55373-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000275634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:02.739{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65519-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000275633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:02.739{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65519-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000275632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:04.447{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7960C9F193B0725D249D6F0F8AD5BD7,SHA256=8969C4D885C4D7272A54698DF188261BC9ABE1CADC053FFFB96D6DF04D2D5E36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:04.305{6820D070-D2F0-6322-0D00-000000007402}9084416C:\Windows\system32\svchost.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:04.283{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7744F2487E166985909F3416A96798DD,SHA256=E358DEA73560CEF197715A0DCC2C6D55460CED8775B8DE385DB9CF50E1B9736F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:05.858{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE9085F2D196FDD7EC1A62EF9D35849,SHA256=6086E6334EABBF85983DD86551027B32E31038E3CEACED507652F9EF66B7891D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.892{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.889{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000275656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.302{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03DFE162D0287F6ACB3283CF27EE410,SHA256=6B5AA6C786824167FE141C7C6858A5FA676ED15A3F076FD3EDE90F3227A27479,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.299{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.293{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.283{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.281{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.275{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.272{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.268{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.266{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.260{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.227{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.208{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.194{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.184{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.176{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.168{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.157{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.151{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.141{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.132{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.072{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:05.069{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000169386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:06.942{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE95574C2B0C58615169B491059E058,SHA256=08DA77A3D02B4DF3D9CB8A56453308187C2620E8E9F5D8677220BCCFED24CD3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:04.680{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65520-false10.0.1.12-8000- 23542300x8000000000000000275659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:06.310{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB3ADA183F9FD279A824D21E2119817,SHA256=296216568CA0C52122BD4308370596E8B7062A3A66C0B9C7AF671A4694D1B7CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:07.904{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:07.903{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:07.897{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:07.895{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000275661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:07.421{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE31542A2E8EEA1707C4B9D1912EC98,SHA256=F96F1609722D62231AFF1B8BE4A14807AF5B32F0AA8EC93F47525DFD5056D11C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.742{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FDE-6323-6718-000000007402}6008C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.740{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.737{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.734{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.731{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.725{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.724{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.704{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.701{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.697{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.696{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.692{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.688{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.685{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.674{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.672{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.671{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.670{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.669{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.654{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.654{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.651{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.650{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.639{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.638{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.635{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.627{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.621{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.620{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.619{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.616{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.611{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.581{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.578{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.540{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.538{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.519{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.508{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.454{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.446{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000275676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.437{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913075901E869F254E138C986B65CACD,SHA256=A3CE96E0A3CE3311AFC2CF11AA7124E6A9A4013DBA4F9122894C9534016BA457,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000275675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.436{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.428{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.426{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.423{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000169387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:08.058{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218CEAA3D33BF7263AE7EF78661482B5,SHA256=A4BF59DF36C344F65936FCFA5DF2C7666AC8DC1F6A73816EFF903B10F8B35016,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.420{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.417{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.416{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.412{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.411{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 10341000x8000000000000000275666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:08.409{6820D070-DD11-6322-8606-000000007402}52806316C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A3DA190) 23542300x8000000000000000275717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:09.570{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA91BA515746C58F4D0AEAA0E2A5E95,SHA256=65E32D208553B7C091083C1152C2715DCD2385B42CE595154A3C1781A5AC5646,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:07.000{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55374-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:09.128{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7705EF7AA9A8495B6617898592611F,SHA256=D987D6CC2F6AEED77BEFBA6782572403F52B3351E8692B8D6721CC1C3728B8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:10.871{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59BE3C0678A5BC27E4952485B05ABE95,SHA256=6B43C4C4293283FABD87A059C1EFBD8508836B34372667397FC7143C8454BB3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:10.559{E743DC12-D550-6322-0D00-000000007502}7842752C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:10.559{E743DC12-D550-6322-0D00-000000007502}7843528C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000169390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:10.259{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ABA02FDBBFB1F8844F2BE859F7DBEBA,SHA256=3E737B50FC76591585BA28BDA99CAE717AA80081322D8CC953AF485169ED2CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:11.360{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CC6E1A025ED62DEC25D5D0997148CE,SHA256=A9BBACA011A7EF03795B32B97449B667BC3537F0E989A26DAAD724FFF005D3B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:11.173{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:11.173{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000169394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:12.476{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D435B888EFC9CEF7CF42A018CE7753A,SHA256=82467DC9D72D290EF4E8402F8095946B325946B4A854155709E4918720AC002B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:10.551{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65521-false10.0.1.12-8000- 23542300x8000000000000000275721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:12.083{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4B264126D5BA190FF66A6DC502295C,SHA256=4823467C843F90E5F8A0C4D08BE13BB4B2B570CDFBB006488C587760E07190EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:13.594{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6CB388A6C3606986FEB7C25D128D0BD,SHA256=D33E4A03021ADFD4AFCFDEF28A9DDDE31A3CAAD84702D4A5C110F556EC982BE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:13.933{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:13.917{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:13.917{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:13.195{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64615730682432252E6B79304940E948,SHA256=3581EAE7189F3CAA3F4AF0ED65F98ED62E62E173B20BA24D40592EFD47864680,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:14.677{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6480720B0776959325E9EC7860C6C4B2,SHA256=7B7852B4CDDAE8FD2C3D8168D53616A7D80671CE89667DB91ABB7286BF646254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:14.408{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83E4D772D69E836EE1C85079E1FB3BE,SHA256=EFBFB575388DEDC7EBD1C1CAEF7892312AF87E112F67C687CAA9006370DD4D3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:13.020{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55375-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:15.749{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65256A147877E9F0691AB538E5AEE133,SHA256=42A1C09D17388FD20D2A40977B576F197F9A9D8D0C09B23D151C34B33ED41F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:15.419{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC7C774783358D10BC036BD27AA7EE7,SHA256=94A84252FFD2A49847488FC7CB98C5FB55447A223D8A2AF6918FB82F84D243DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:16.802{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91137A29E9454B4F791E18C280F2BEDD,SHA256=8DBE6E201648CE04EC2F5F41E6D49A19A77936F250A21786370B38A8195857C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:16.591{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-454MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:16.429{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26938924CAA3A0F24AE2114B11D8AE80,SHA256=0D91096EEED179979612DCE90A46F7149DF9FC20AC65DD9B3FB08EAFF3A4F1E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000275736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:15.573{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65522-false10.0.1.12-8000- 23542300x8000000000000000275735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:17.591{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-455MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:17.555{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\13158MD5=7B240A7139E8B8E5A4B6E83B4098E2BE,SHA256=8990F6B7E59AC0C333F42F4311A87DBD82EE9FA73D645B51DED7A7DF3B8C2B02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:17.438{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6465B5BB88A86EC7C43D741CD1C94CC,SHA256=D9FD12220CF7FAC31DAB460C2B5C77B457739D9B75AF7D1D9E4EB683061D9160,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:17.994{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:17.981{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:17.976{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000169400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:17.931{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26BB91D392218EA41267F312050DA356,SHA256=5F82CC908CD7FC3BAB6660F4479ABB6FA18DB93A4020D64DBD0335235F45B298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:17.021{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\14409MD5=720DEA7F9DCC49DBF403EFA514116C23,SHA256=3681BA2DE10D1C503A3619E961960DC6EDD2C47A1AE705A96CBE045ADA8C38A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:17.020{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\3030MD5=DD20AC654B88B32FD6716B326BE6546D,SHA256=772D9B228CB75401F7773E46F5C17311F9B42C75E87F2AE416E6FC65BD8A5BB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000275852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.951{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000275851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.949{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000275850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.948{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000275849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.783{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000275848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.783{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000275847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.782{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000275846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.782{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000275845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.779{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000275844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.778{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000275843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.778{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000275842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.777{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000275841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.771{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000275840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.770{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000275839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.768{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000275838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.767{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000275837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.765{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000275836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.765{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000275835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.765{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000275834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.765{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.764{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000275832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.764{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000275831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.764{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000275830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.764{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000275829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.764{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000275828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.764{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000275827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.764{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000275826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.764{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000275825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.763{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000275824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.763{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000275823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.763{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000275822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.763{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000275821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.762{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000275820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.762{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000275819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.762{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000275818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.762{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000275817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.762{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000275816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.762{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000275815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.761{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000275814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.761{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000275813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.760{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.760{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 23542300x8000000000000000275811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.755{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29DF29065FCA973E002F10AB993B6274,SHA256=1649097B38B97F0A37D4C3717A77E2970FFECC4D593825D2F26938FFC8B2B8D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000275810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.755{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000275809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.755{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.754{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000275807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.752{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.752{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.752{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.751{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.751{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.751{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.747{6820D070-405A-6323-7718-000000007402}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000275800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.439{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\EsdSip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying .esd Electronic Software Distribution filesMicrosoft® Windows® Operating SystemMicrosoft CorporationESDSIP.DLLMD5=CDF191FF99AF7729029F5E098FF7D819,SHA256=53A7D390A146F888AF5FE3F1EF3859ECC58D9E0EA3AE27FDDF281CE14691568D,IMPHASH=E47F6D532615E6E31018F6C5A9EA62C1trueMicrosoft WindowsValid 734700x8000000000000000275799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.438{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying PowerShell script files (.ps1/.ps1xml)Microsoft® Windows® Operating SystemMicrosoft Corporationpwrshsip.dllMD5=5366DEE11C59571EC48B56020E8949DE,SHA256=EE5CDBEDA2067413ACB7B5E7B4AF53B40336148CA104D1671212B43737EB348C,IMPHASH=C93A45A26AACEA8208AA325C281035F0trueMicrosoft WindowsValid 734700x8000000000000000275798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.430{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\OpcServices.dll10.0.14393.2848 (rs1_release.190305-1856)Native Code OPC Services LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationOpcServices.dllMD5=991F8CCB43104DE3BD6E24A4D2BF870D,SHA256=8187C096A269D20742DEC9B651536F1C7A354D114B176179B1F4E090BB28E1F2,IMPHASH=F5D44AC1D5D2912F6B871FE7D5604CEDtrueMicrosoft WindowsValid 23542300x8000000000000000169451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.653{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B421456528A36EFBB1BBCE1D1CBE56EA,SHA256=C1FA2CD4B5A73F7C8793EC665F1D327D7E53541AD947277157953CFA8A058E3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000169450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.390{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 734700x8000000000000000275797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.433{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000275796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.409{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\AppxSip.dll10.0.14393.4169 (rs1_release.210107-1130)Appx Subject Interface PackageMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxSip.dllMD5=33AEB645167296EFE22E1BB64B63CBFC,SHA256=6E2B948F3CD7EEC6D9A9A864476F074FB5876E397916FF81A39B23976489AB52,IMPHASH=B062C097D0B3B0DCCA3ECC898B231E28trueMicrosoft WindowsValid 10341000x8000000000000000275795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.421{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.404{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41,IMPHASH=EE821B7DB352A29DF6636AEB059E4519trueMicrosoft WindowsValid 734700x8000000000000000275793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.397{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msisip.dll5.0.14393.4704 (rs1_release.211004-1917)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=E05D3AEDC7E9A28DB9CE81C0C4D5DF91,SHA256=E57F53A4ADADE83595524BE8821C726882ABF0BA748471D3F4F502F4D8CDAECC,IMPHASH=9990E8AE89385588C988664086E258E7trueMicrosoft WindowsValid 11241100x8000000000000000275792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localDownloads2022-09-15 15:10:18.391{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\fosVkwmb.jpeg.part2022-09-15 15:10:18.386 11241100x8000000000000000275791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localDownloads2022-09-15 15:10:18.391{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\SC_administrator_WIN-DC-CTUS-ATT_2022_09_15_15_09_56.jpeg2022-09-15 15:10:18.389 23542300x8000000000000000275790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.389{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\fosVkwmb.jpeg.partMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000275789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localDownloads2022-09-15 15:10:18.386{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\fosVkwmb.jpeg.part2022-09-15 15:10:18.386 734700x8000000000000000275788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.374{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000275787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.373{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000275786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.372{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000275785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.158{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000275784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.157{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000275783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.156{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000275782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.155{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000275781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.154{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000275780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.153{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000275779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.153{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000275778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.145{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000275777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.145{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000275776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.145{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000275775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.144{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000275774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.144{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000275773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.144{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000275772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.144{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000275771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.144{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000275770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.144{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000275769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.144{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000275768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.144{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000275767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.143{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000275766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.143{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000275765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.143{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000275764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.143{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000275763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.143{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000275762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.143{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000275761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.143{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000275760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.143{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000275759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.143{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000275758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.143{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000275757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.142{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000275756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.141{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000275755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.141{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000275754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.141{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000275753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.140{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000275752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.140{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000275751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.140{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.140{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000275749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.139{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.137{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000275747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.137{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000275746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.136{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.136{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000275744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.136{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.136{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.135{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.135{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.135{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.135{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.133{6820D070-405A-6323-7618-000000007402}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:18.030{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.388{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.386{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.381{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.376{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.354{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.353{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.352{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.346{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.343{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.340{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.332{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.325{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.324{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.287{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.273{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.265{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.243{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.237{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.228{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.224{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.223{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.221{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.218{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.217{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.215{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.212{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.211{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.209{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.208{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.206{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.203{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.196{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.192{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.187{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.173{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.169{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.153{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.144{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.090{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.073{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.061{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.053{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.043{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.034{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.027{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000169404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.016{E743DC12-DCF5-6322-7D03-000000007502}55365576C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 734700x8000000000000000275956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.968{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000275955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.968{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000275954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.967{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000275953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.966{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000275952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.964{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000275951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.964{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000275950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.964{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000275949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.963{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000275948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.962{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000275947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.956{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000275946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.956{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000275945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.955{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000275944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.955{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000275943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.955{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000275942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.955{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000275941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.955{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000275940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.955{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000275939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.954{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000275938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.954{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000275937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.954{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000275936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.954{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000275935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.954{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000275934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.954{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000275933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.953{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000275932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.953{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000275931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.953{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000275930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.952{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000275929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.952{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000275928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.952{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000275927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.951{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000275926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.951{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000275925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.951{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000275924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.950{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000275923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.950{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000275922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.950{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.949{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000275920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.948{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.948{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000275918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.947{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000275917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.947{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.947{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000275915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.947{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.946{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.946{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.946{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.946{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.945{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.944{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000275908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:17.489{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65523-false10.0.1.12-8089- 23542300x8000000000000000275907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.667{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE5CA789376193F2A096A716793145F,SHA256=3646EDC3B1FEE074C0FED7B075922F80DAC7E816E5EA97249A961EC57C1AFC62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:19.035{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4AC71B18238CBF1C17D91A0737A6D7,SHA256=45E64E7FAB7A84572BAAA92E3A079B8E52C21C6275EFD1A33E9F80D4BED73A2E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000275906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.472{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000275905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.471{6820D070-405B-6323-7818-000000007402}54367636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.471{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000275903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.470{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000275902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.313{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFC40DF4559FFB164D60F3C882E6FE1,SHA256=39F3A4952FB918DACD38C7FEFE8B15810F2E47EA1FB284F7D5C8FF19AD5CFDCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000275901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.298{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000275900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.298{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000275899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.297{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000275898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.296{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000275897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.295{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000275896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.294{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000275895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.294{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000275894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.294{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000275893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.286{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000275892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.286{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000275891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.285{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000275890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.285{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000275889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.285{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000275888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.284{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000275887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.284{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000275886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.284{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000275885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.284{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.284{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000275883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.284{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000275882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.283{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000275881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.283{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000275880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.283{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000275879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.283{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000275878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.283{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000275877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.283{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000275876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.283{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000275875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.283{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000275874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.283{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000275873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.283{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000275872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.282{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000275871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.282{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000275870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.282{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000275869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.282{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000275868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.282{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000275867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.282{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000275866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.281{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.280{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000275864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.280{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000275863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.279{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.279{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000275861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.279{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.279{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.279{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.279{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.278{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.278{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.277{6820D070-405B-6323-7818-000000007402}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.171{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AF3F86DCA57E04967E08D01B27FE5BD,SHA256=6A90A95C62BD68199FC924D6EDA283A6472904035958AF51F080353C76E7BAC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000275853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:19.072{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6CD95C251E0852451E2E6B3E68E9151F,SHA256=52652CDB67FC82C68DF57B02F85E8E6E000DE64A772FEEC0CB3776C7E8724DB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000276023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.874{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000276022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.873{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000276021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.872{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000276020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.831{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE6678DCF25F51796DFF3ADA5480F63,SHA256=643E3E7348F8021257C3B828FBBE6EE0EA3760B3B18868A46CF9671C1BE5053D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000276019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.787{6820D070-DD03-6322-6F06-000000007402}26202600C:\Windows\system32\taskhostw.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.689{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDECD6230FD7C16C56D18E8576644F55,SHA256=679E4702BB23E3A0356C8C4FB8216ED294DCE26ED8DD7A89C24267B3B5DBE1A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000276017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.635{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000276016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.634{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000276015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.633{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000276014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.631{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000276013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.629{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000276012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.629{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000276011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.629{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000276010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.629{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000276009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.621{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000276008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.620{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000276007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.620{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000276006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.619{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000276005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.618{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000276004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.618{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000276003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.618{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000276002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.618{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000276001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.618{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 23542300x8000000000000000169455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:20.786{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3D40CF2DFD7545F57D382C7DA576D18D,SHA256=708DD7397DAB8F3D9E68B27C6319C011CFCA3B13B8BB9CF16CBAF8DCBFA7DF6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000169454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:20.354{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000169453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:20.117{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84DB9FC5BF06DE603D2263F04B2DC44,SHA256=BDC12AA304FD351D1B2F6596299B4503AEB11F79DBC85A7FDBDEBAE0EF00170A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000276000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.618{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000275999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.617{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000275998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.617{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000275997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.617{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000275996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.617{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000275995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.617{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000275994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.617{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000275993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.617{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000275992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.617{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000275991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.617{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.617{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000275989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.616{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000275988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.616{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000275987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.616{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000275986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.616{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000275985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.616{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000275984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.615{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000275983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.615{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000275982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.615{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000275981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.615{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000275980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.614{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000275979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.614{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000275978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.614{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000275977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.613{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.612{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000275975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.612{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000275974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.611{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000275973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.611{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000275972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.611{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.611{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.611{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.611{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.611{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.611{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.609{6820D070-405C-6323-7A18-000000007402}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000275965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.192{6820D070-405B-6323-7918-000000007402}69006880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000275964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.192{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000275963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.191{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000275962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.128{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.128{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.126{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.126{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.126{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000275957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.126{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405B-6323-7918-000000007402}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 23542300x8000000000000000276076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.852{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DA55BB70B4DD39B725E0D9093D20A6,SHA256=5F769CC7A72D3818588049BE614813388E1A4C21FF042BBCBF8BBE8D8564875C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:21.155{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AF838BA098B9BDE86ED09B78E3B99D,SHA256=4747409E091D60FD04492FDFC6FAACA753D085B5D03DBF5ACD0A4E0A36879FF6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000276075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.591{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000276074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.591{6820D070-405D-6323-7B18-000000007402}43927360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.591{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000276072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.590{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000276071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.406{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000276070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.405{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000276069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.405{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000276068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.404{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000276067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.402{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000276066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.402{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000276065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.402{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000276064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.401{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000276063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.394{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000276062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.393{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000276061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.393{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000276060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.393{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000276059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.393{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000276058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.392{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000276057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.392{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000276056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.392{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000276055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.392{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.392{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000276053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.391{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000276052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.391{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000276051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.391{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000276050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.391{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000276049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.390{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000276048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.390{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000276047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.390{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000276046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.390{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000276045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.390{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000276044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.390{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000276043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.390{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000276042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.390{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000276041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.389{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000276040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.389{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000276039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.389{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000276038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.389{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000276037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.389{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000276036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.387{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.386{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000276034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.386{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000276033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.385{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.385{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000276031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.385{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.385{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.385{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.385{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.384{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.384{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.382{6820D070-405D-6323-7B18-000000007402}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000276024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:21.214{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 23542300x8000000000000000169459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:22.556{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:22.186{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE08C9EBCFA55EA86C48CE670256CCC,SHA256=02422DB34D209BAF6D1027CB7F78A379840577CBB98677B226060FF027B02A91,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000276169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.992{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 734700x8000000000000000276168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.990{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000276167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.987{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000276166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.986{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000276165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.985{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000276164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.982{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000276163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.981{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000276162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.981{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000276161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.981{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000276160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.980{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000276159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.980{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000276158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.974{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000276157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.973{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000276156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.954{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000276155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.954{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000276154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.952{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000276153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.951{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000276152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.951{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=4C76812B58E0B647D28D6FCEFC6702AF,SHA256=76CF6D4562438A4F51D526C1A9962F7174490A553CC9897C9F60A96702EEB680,IMPHASH=1F40F992028A58CCA9DFDD62028D0D40trueMicrosoft WindowsValid 734700x8000000000000000276151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.951{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000276150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.950{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000276149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.949{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.948{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000276147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.948{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000276146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.947{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000276145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.947{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000276144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.947{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000276143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.946{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000276142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.946{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000276141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.945{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1,IMPHASH=BDE6E9F55B678D4E2440D9FA0C8B81FBtrueMicrosoft WindowsValid 734700x8000000000000000276140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.944{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000276139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.944{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000276138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.940{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000276137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.936{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.936{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.936{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.935{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.935{6820D070-DD00-6322-5E06-000000007402}34204136C:\Windows\system32\csrss.exe{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.935{6820D070-DD04-6322-7906-000000007402}26562344C:\Windows\Explorer.EXE{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e73b|C:\Windows\System32\windows.storage.dll+16e451|C:\Windows\System32\windows.storage.dll+16e09e|C:\Windows\System32\windows.storage.dll+16f340|C:\Windows\System32\windows.storage.dll+16ddee|C:\Windows\System32\windows.storage.dll+fce8d|C:\Windows\System32\windows.storage.dll+fd5cc|C:\Windows\System32\windows.storage.dll+fc930|C:\Windows\System32\windows.storage.dll+16650a|C:\Windows\System32\windows.storage.dll+166262|C:\Windows\System32\SHELL32.dll+9cafd|C:\Windows\System32\SHELL32.dll+9b696|C:\Windows\System32\SHELL32.dll+8dfa9|C:\Windows\System32\SHELL32.dll+cf48e|C:\Windows\System32\SHELL32.dll+157b8c|C:\Windows\System32\SHELL32.dll+1578e3|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.875{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exe10.0.14393.5127 (rs1_release_inmarket.220514-1756)PaintMicrosoft® Windows® Operating SystemMicrosoft CorporationMSPAINT.EXE"C:\Windows\system32\mspaint.exe" "C:\Users\Administrator\Downloads\SC_administrator_WIN-DC-CTUS-ATT_2022_09_15_15_09_56.jpeg"C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6820D070-DD02-6322-1C5A-600000000000}0x605a1c2HighMD5=D3756516A0F9A6271671855DA01DC62B,SHA256=061D41C4239A0DBE2D9578D4D10A5DB2A8F21C1C0F9B63AAE490F1CDD683340A,IMPHASH=A1AE90944010E9EC06EBA7D463508EB8{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000276130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.558{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\3025MD5=977581BFE7798967BE6FF681A9416B5E,SHA256=F7F69388B9C80D9F28C58000AB195F3508243327784CB6BA38E81C17E1BC753D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.557{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\19577MD5=FD2C7285C2654DA2EFEF7534D0BDF547,SHA256=06DBDEAC873CE1E8647AB3DA330EFA51EFC41FB0C96E6B01F3AF0EA1857EAA3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000276128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.234{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000276127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.234{6820D070-405E-6323-7C18-000000007402}46044364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.226{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000276125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.226{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000276124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.072{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000276123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.072{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000276122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.071{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000276121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.070{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000276120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.068{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000276119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.068{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000276118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.068{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000276117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.067{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000276116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.061{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000276115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.061{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000276114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.060{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000276113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.060{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000276112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.060{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000276111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.059{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000276110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.059{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000276109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.059{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000276108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.059{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.059{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000276106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.059{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000276105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.059{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000276104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.059{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000276103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.058{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000276102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.058{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000276101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.058{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000276100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.058{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000276099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.058{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000276098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.058{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000276097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.058{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000276096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.058{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000276095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.058{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000276094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.057{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000276093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.057{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000276092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.057{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000276091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.057{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000276090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.057{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000276089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.057{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000276088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.056{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.055{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000276086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.055{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000276085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.054{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.054{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000276083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.054{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.054{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.053{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.053{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.053{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.053{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.052{6820D070-405E-6323-7C18-000000007402}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000169457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:18.876{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55376-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000276287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.948{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\System32\svchost.exeC:\Windows\System32\pnpts.dll10.0.14393.0 (rs1_release.160715-1616)PlugPlay TroubleshooterMicrosoft® Windows® Operating SystemMicrosoft Corporationpnpts.dllMD5=FFA44FD7FEDA32632E8CE84AD0F9101B,SHA256=2A0746A7876C1A430F9C9A5BE4BE28CAA2FF4F73477651AE5CC74462278F333B,IMPHASH=2AF0358C9B643BA1C759C9C883F150F5trueMicrosoft WindowsValid 23542300x8000000000000000169460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:23.288{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7AC3FA6501015423939FBB1F197EC0,SHA256=AA8AF6B95D2CEE17D44841B9CE7ACDD1B8618FD31A4AE71CC345E88C80B464B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.926{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.926{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.926{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.552{6820D070-DD03-6322-6F06-000000007402}26202600C:\Windows\system32\taskhostw.exe{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.546{6820D070-DD03-6322-6F06-000000007402}26202600C:\Windows\system32\taskhostw.exe{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.537{6820D070-DD04-6322-7906-000000007402}26564728C:\Windows\Explorer.EXE{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.537{6820D070-DD04-6322-7906-000000007402}26564728C:\Windows\Explorer.EXE{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.537{6820D070-DD04-6322-7906-000000007402}26564728C:\Windows\Explorer.EXE{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.536{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.536{6820D070-DD04-6322-7906-000000007402}26564728C:\Windows\Explorer.EXE{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.536{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.535{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.535{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.504{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\oleacc.dll7.2.14393.5127 (rs1_release_inmarket.220514-1756)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=3737D7B3A07BD11A31CD91B11F7EBA46,SHA256=528C1810C991DD93FA25D6A67A1415BC0A189189AEE0A62C0C79A43AA594E978,IMPHASH=427F18493D540CBF4092BD07A97BE51FtrueMicrosoft WindowsValid 734700x8000000000000000276272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.469{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\PhotoMetadataHandler.dll10.0.14393.4169 (rs1_release.210107-1130)Photo Metadata HandlerMicrosoft® Windows® Operating SystemMicrosoft CorporationPhotoMetadataHandler.dllMD5=6FB0850ABAD1E8FDD1F662FCF819262C,SHA256=3EFCA956A159AE40CE292607EC59E4D258BDE13EAB51AFEF270FE55154CFA26E,IMPHASH=C204FCA51D1E4DDB2A7903D799C90765trueMicrosoft WindowsValid 734700x8000000000000000276271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.464{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 23542300x8000000000000000276270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.488{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CA667B115833A88EF6CFC4D13CEA0778,SHA256=E5EFAD7CD9DC3155B2719C194C11D831E230ADF12DFA78F7FE2CD513CFE33BB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000276269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.368{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B9738D6785CE0FF92F87C583E47E50B4,SHA256=EAEB44F64DF50357448460AE57CDFD154A4035B36A519EF868302DE3DD26F16A,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 734700x8000000000000000276268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.351{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\msxml6.dll6.30.14393.5291MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=A362CCDBE82A110E864A59410B1C450F,SHA256=D05D510E37824ADF4917CA1F5BCD4F19F48B9664B2188C2CAD14481B6F7E0CC9,IMPHASH=FCAD6732873DA041FB25E83E799A2652trueMicrosoft WindowsValid 734700x8000000000000000276267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.286{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\atlthunk.dll10.0.14393.2969 (rs1_release.190503-1820)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=BECA5E9FA540246333036919A57B7AEF,SHA256=62C24B274B38A88C83EE122CB30142C2135953C1A26582AD003512B238CB7FC9,IMPHASH=E86BAF1A171668A11110B8975A3BDE27trueMicrosoft WindowsValid 734700x8000000000000000276266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.282{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\UIRibbonRes.dll10.0.14393.2969 (rs1_release.190503-1820)Windows Ribbon Framework ResourcesMicrosoft® Windows® Operating SystemMicrosoft CorporationUIRibbonRes.dllMD5=0E292AC74DFBCBC12876A2B9F1BAD117,SHA256=058A57CF7DE921134A785903FF03CB254F07F901D9561EEFEFFA3597D0CC3BC9,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.260{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560D,IMPHASH=5500EF6AAEED0FAA2DE0F3B65E67DE20trueMicrosoft WindowsValid 734700x8000000000000000276264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.257{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\fdPnp.dll10.0.14393.4169 (rs1_release.210107-1130)Pnp Provider DllMicrosoft® Windows® Operating SystemMicrosoft CorporationfdPnp.dllMD5=23D6408C20F4A0047E5F586354492C2F,SHA256=49F69E54AA909ECFD8A463B102BE708B496AD9A1EF73BAD2C10383E234AA75B1,IMPHASH=CE603E72BE35448111FFAD017648951FtrueMicrosoft WindowsValid 734700x8000000000000000276263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.249{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\sti.dll10.0.14393.3442 (rs1_release.191219-1727)Still Image Devices client DLL Microsoft® Windows® Operating SystemMicrosoft CorporationSTI.DLLMD5=C756057A0E7B12B1DA677BF555513700,SHA256=FF23B7A568CB0A48C7EC53C363F6C0CEE41ACE16D04380C2B598736AA183FB1B,IMPHASH=03964085BB4710CC44C907511132449DtrueMicrosoft WindowsValid 734700x8000000000000000276262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.257{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\sti.dll10.0.14393.3442 (rs1_release.191219-1727)Still Image Devices client DLL Microsoft® Windows® Operating SystemMicrosoft CorporationSTI.DLLMD5=C756057A0E7B12B1DA677BF555513700,SHA256=FF23B7A568CB0A48C7EC53C363F6C0CEE41ACE16D04380C2B598736AA183FB1B,IMPHASH=03964085BB4710CC44C907511132449DtrueMicrosoft WindowsValid 23542300x8000000000000000276261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.414{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10750C456640A7CE7F8B7EA69B14DA5F,SHA256=E3450E49ABDAD3A7ECFE3BCF48CA0E60B4D83AFE4BE600B76738AF8467C5514E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000276260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.245{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\fundisc.dll10.0.14393.0 (rs1_release.160715-1616)Function Discovery DllMicrosoft® Windows® Operating SystemMicrosoft CorporationFunDisc.dllMD5=0F54ABD1EAC74FC00BED394DC7F3F682,SHA256=366EB1FCC88FA18EAFA954FBBB967B0E1383929E2FADBB54ED2174E9B07F0998,IMPHASH=DA6C3183FBFC5FF462CA880F87A5C413trueMicrosoft WindowsValid 734700x8000000000000000276259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.241{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\deviceassociation.dll10.0.14393.0 (rs1_release.160715-1616)Device Association Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdeviceassociation.dllMD5=68139108F7E1D4327BE76289E14C2159,SHA256=05436A7EE5EE877F3EA6B12604D41EFCE288F093AAEE03A906FB7C9A4A76DFDA,IMPHASH=CA757A840D91610BF593E8A2814EB9B3trueMicrosoft WindowsValid 734700x8000000000000000276258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.240{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\wsdchngr.dll10.0.14393.0 (rs1_release.160715-1616)WSD Challenge ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationWSDChngr.dllMD5=D912A3C7773C63C885D295174FD9BE9A,SHA256=EB4E97A238C74B1DBD9D5086CC04B2922E68736AFDF60CE7989544C948D1D62E,IMPHASH=E9001D4DF0EC7514394AE71AD1AD37CCtrueMicrosoft WindowsValid 734700x8000000000000000276257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.234{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x8000000000000000276256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.377{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29967AA8F2433E25198374AE0BE43116,SHA256=56C08C69DA2E07AB4318DF68F31663050BD67F7239B0DB395F9582FD36747FF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000276255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.233{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\NtlmShared.dll10.0.14393.5291 (rs1_release.220806-1444)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=3A44E9A10EBDD0D2746002CCC20CB441,SHA256=81279D12F880183167FC48BDB2245A37DEDD59089CB57FEC63286E5B31BE4B91,IMPHASH=36FD662FB3EF657597E485F3FC734A67trueMicrosoft WindowsValid 23542300x8000000000000000276254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.372{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0917249711DEA41D6C260858DFF140EF,SHA256=9241BF57C3CA6C07F5F9CBAD0D06551C791A90B5A0890690F5E7C294085F770C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000276253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.232{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\msv1_0.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=713310247F713F75837BD517F1A687DD,SHA256=D8C98591934A2F89AC526A6D3EE3F17907C60C58D842A73FA5FDDBE6E852AEC2,IMPHASH=BCA5B616268D9E5FC12AB66DF3B96D6AtrueMicrosoft WindowsValid 734700x8000000000000000276252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.220{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\wiatrace.dll10.0.14393.0 (rs1_release.160715-1616)WIA TracingMicrosoft® Windows® Operating SystemMicrosoft CorporationWIATRACE.DLLMD5=0BC9CC67EF837471465CD54CF416FBE7,SHA256=25DB698335CEAAE5F876662E9BDB3B2AE430D3F39E87375D03DBA39728EA42CD,IMPHASH=E06208E9826C17376013D215ACD4C733trueMicrosoft WindowsValid 734700x8000000000000000276251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.261{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\wiatrace.dll10.0.14393.0 (rs1_release.160715-1616)WIA TracingMicrosoft® Windows® Operating SystemMicrosoft CorporationWIATRACE.DLLMD5=0BC9CC67EF837471465CD54CF416FBE7,SHA256=25DB698335CEAAE5F876662E9BDB3B2AE430D3F39E87375D03DBA39728EA42CD,IMPHASH=E06208E9826C17376013D215ACD4C733trueMicrosoft WindowsValid 734700x8000000000000000276250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.218{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\wldp.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=E0E13482A64635E305045F9EECAF4F53,SHA256=68291C8D8C6C8CDC112A9BA73B28C5C29CD87017E96DBCC5009B9BCDBDDEF326,IMPHASH=BAB4B09716AD341771228F16AF6CB4A6trueMicrosoft WindowsValid 734700x8000000000000000276249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.209{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\wiaservc.dll10.0.14393.3866 (rs1_release.200805-1327)Still Image Devices ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationWIASERVC.DLLMD5=BB702BDEC5677293ABE6874EF5814915,SHA256=2685CC5420C1C5BC52C4C97F852BDA202B8006B82295CB45CD9AEC5EF0ED840A,IMPHASH=0F85E4CA6FE64A7B7AEFF7707FF3AB97trueMicrosoft WindowsValid 734700x8000000000000000276248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.190{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924trueMicrosoft Windows PublisherValid 734700x8000000000000000276247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.173{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=17061020D475E2BCD9FABBE2403F03DB,SHA256=24E48405A73B2C3532A04A910E465FAC6E87B064A40D5ABAFFFF091D1033B3C5,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x8000000000000000276246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.159{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\WinTypes.dll10.0.14393.5192 (rs1_release.220610-1622)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=F3BCB5B813B4FB4010138BE1BD58F4C4,SHA256=E5879F56DBBC6270E05DE601288AB45868E349024B6C4FDACA6BDF51D7F5C97A,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x8000000000000000276245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.145{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x8000000000000000276244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.142{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\efswrt.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Storage Protection Windows Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationefswrt.dllMD5=5A0D0B6358BFBCC853A32BCA9BE21E70,SHA256=B78D7BDCAD8DE24DFC0EBC57CE7AB4AE07A44E8AEB67CC4D1B387AFDF6450720,IMPHASH=DB722C59D528E4A03ECF3B136E3B2A72trueMicrosoft WindowsValid 734700x8000000000000000276243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.131{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\UIRibbon.dll10.0.14393.2969 (rs1_release.190503-1820)Windows Ribbon FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationUIRibbon.dllMD5=9D1DA01AD4A8FE3EB9A3AA8C624A3D17,SHA256=CCBCB2185E26DFDCA2F4E1602C30F5765EC1513CCCEE0B78EB4DD8A5E881D6EE,IMPHASH=508BE6EE4D24037F10E1CECBEADF5B04trueMicrosoft WindowsValid 10341000x8000000000000000276242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.291{6820D070-D2F0-6322-1200-000000007402}963352C:\Windows\System32\svchost.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\das.dll+3df2|c:\windows\system32\das.dll+38e7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.268{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000276240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.255{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000276239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.253{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000276238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.243{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000276237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.242{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000276236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.085{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\msftedit.dll10.0.14393.4704 (rs1_release.211004-1917)Rich Text Edit Control, v8.5Microsoft® Windows® Operating SystemMicrosoft CorporationMsftEdit.DLLMD5=76AA789092145B52D12BF1B1E8658294,SHA256=8116A9DDDA0090327E537D1C87EE3C6A1716B6228AD20F71665F0E493ACD47EF,IMPHASH=7C36F76BEB38B735155D539BEBF60532trueMicrosoft WindowsValid 734700x8000000000000000276235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.239{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000276234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.238{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000276233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.237{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 10341000x8000000000000000276232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.236{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.233{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x8000000000000000276230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.228{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.227{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.227{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000276227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.226{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000276226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.220{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.219{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000276224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.218{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000276223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.218{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000276222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.214{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000276221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.213{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000276220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.213{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000276219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.212{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000276218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.212{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000276217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.212{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000276216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.212{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000276215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.211{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000276214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.211{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.211{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000276212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.210{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000276211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.210{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000276210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.200{6820D070-D2EE-6322-0A00-000000007402}6201972C:\Windows\system32\services.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.034{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.5127_none_aec7dd25ddd79049\GdiPlus.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=7278B609C8DAD47E0E93DBB4D49361D1,SHA256=B9FB1418BE46EACB34582BC8F4E867CE4AD7D3C580987AFE0A8EC55ED30A5247,IMPHASH=BC747D18CC28DFF374DB67CDCF580B6BtrueMicrosoft WindowsValid 734700x8000000000000000276208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.196{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000276207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.195{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000276206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.195{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000276205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.193{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000276204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.191{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000276203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.190{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\System32\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000276202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.189{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.188{6820D070-D2EE-6322-0A00-000000007402}6202956C:\Windows\system32\services.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.184{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.184{6820D070-D2EF-6322-0C00-000000007402}8487268C:\Windows\system32\svchost.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.184{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2EE-6322-0A00-000000007402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.175{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.173{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000276195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.006{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\explorer.exeC:\Windows\System32\dsclient.dll10.0.14393.0 (rs1_release.160715-1616)Data Sharing Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdsclient.dllMD5=68B9D02A469519C6BFD9F39854EE8E62,SHA256=A7646650AB50D076DBBC6E9B767565DDA71B078814BC2071BA525F118B861883,IMPHASH=F148E4E0D3E37883A6CAB6CEE53CA685trueMicrosoft WindowsValid 734700x8000000000000000276194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.006{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\explorer.exeC:\Windows\System32\WpPortingLibrary.dll10.0.14393.0 (rs1_release.160715-1616)<d> DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWpPortingLibrary.dllMD5=9F86158107F4C4A954E1A1594A73E769,SHA256=8D797D0B92ACE4957EDC3380C06D54CC2912896248A2A68E86F83FA0B7A24136,IMPHASH=B4ACDC77E7BA866BD19676ABBA0D0B2FtrueMicrosoft WindowsValid 734700x8000000000000000276193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.004{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\explorer.exeC:\Windows\System32\Windows.System.Launcher.dll10.0.14393.4886 (rs1_release.220104-1735)Windows.System.LauncherMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.System.Launcher.dllMD5=7ED19A9D5A5247B32B502763E8D83731,SHA256=127243F0E56E1A210F1CABDA9EB1FCFC59CEF192BF06F21BD06BD1D662C29EC4,IMPHASH=2FCCF9E601F23A043E51DA1E837A3065trueMicrosoft WindowsValid 10341000x8000000000000000276192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.141{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000276191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.141{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000276190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.141{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000276189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.140{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000276188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.140{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000276187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.140{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 734700x8000000000000000276186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.136{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000276185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.991{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\odbc32.dll10.0.14393.3471 (rs1_release_1.191218-1729)ODBC Driver ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationodbc32.dllMD5=7BE20E672645485F6A3B2E34389344BA,SHA256=B6F6E06CACEE09FB6CC0ACF874477FC9094EA4C14A07FF59B228BDD23C7BF02A,IMPHASH=B6FE10FF835FBB8612CC749787B5472EtrueMicrosoft WindowsValid 734700x8000000000000000276184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.985{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\feclient.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT File Encryption Client InterfacesMicrosoft® Windows® Operating SystemMicrosoft CorporationFECLIENT.DLLMD5=53DDCEEEBB92F311D9F3A6170495BDD9,SHA256=E94B5BD888D06DD6F4A33797459CF46E3F4AAB5A3FBDFFB668E5AB61C51E5A85,IMPHASH=F81B72A18C4A8A86D4B59944671E95CAtrueMicrosoft WindowsValid 734700x8000000000000000276183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.973{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\mfc42u.dll6.06.8063.0MFCDLL Shared Library - Retail VersionMicrosoft (R) Visual C++Microsoft CorporationMFC42.DLLMD5=DD361EE0A665F41783E02CEA20285E61,SHA256=457BF44CC1BE99FD74983178AC34E83AEC2ED73DFEE9F9FC7F5F501AD8A6D03B,IMPHASH=5407FE666C5FCACC20F969C8CE05D993trueMicrosoft WindowsValid 354300x8000000000000000276182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:20.622{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65524-false10.0.1.12-8000- 734700x8000000000000000276181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.090{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000276180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.973{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x8000000000000000276179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.939{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\mspaint.exe10.0.14393.5127 (rs1_release_inmarket.220514-1756)PaintMicrosoft® Windows® Operating SystemMicrosoft CorporationMSPAINT.EXEMD5=D3756516A0F9A6271671855DA01DC62B,SHA256=061D41C4239A0DBE2D9578D4D10A5DB2A8F21C1C0F9B63AAE490F1CDD683340A,IMPHASH=A1AE90944010E9EC06EBA7D463508EB8trueMicrosoft WindowsValid 734700x8000000000000000276178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.055{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 11241100x8000000000000000276177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.041{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Downloads.lnk2022-09-15 10:08:10.036 23542300x8000000000000000276176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.039{6820D070-DD04-6322-7906-000000007402}2656ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Downloads.lnkMD5=986E448C6E24158240395AD6DFA30293,SHA256=9122C7E01D7D160839554D7243412B55DC0C0D7DFB44631FA3C1892E547E0556,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000276175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.038{6820D070-D2F0-6322-1500-000000007402}12528000C:\Windows\system32\svchost.exe{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.037{6820D070-D2F0-6322-1500-000000007402}12521316C:\Windows\system32\svchost.exe{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\system32\mspaint.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.037{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 11241100x8000000000000000276172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.020{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\SC_administrator_WIN-DC-CTUS-ATT_2022_09_15_15_09_56.jpeg.lnk2022-09-15 15:10:23.020 734700x8000000000000000276171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.000{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000276170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:22.999{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 10341000x8000000000000000276299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:24.977{6820D070-D2F0-6322-0D00-000000007402}9084416C:\Windows\system32\svchost.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:24.977{6820D070-D2F0-6322-0D00-000000007402}9084416C:\Windows\system32\svchost.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000169462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:24.373{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8ACFD8720DE03E489A88E1E5E4F661A,SHA256=55961271876B9935D2801D2FE0EED1C5C2DB10EA551F2D92F3482449B0E5264D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:24.435{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0427B4724FDC41F04FEB0E7899428F88,SHA256=FAA3F474829EBB1EB703877D7D1916693C1617036F6DA850636A2A74FE4BD264,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:24.435{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4570725DE444D17ADC86BD33DEC9A74E,SHA256=1B5E3802BA6AD6841C7C9EE7BAB0C8778189BFE1D6FE31DA6EE2EEC16B56B773,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000276295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:24.121{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000276294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:24.121{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000276293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:24.121{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000276292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:24.120{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000276291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:24.120{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000276290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:24.120{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 23542300x8000000000000000276289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:24.013{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=43F3C0178411D6B770EC205180B9EBD4,SHA256=A43BFA6022E8402BD50CA2B3FDB00BFF5C6123ECFDED1C76133F017E35AF11F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000276288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:23.999{6820D070-405E-6323-7D18-000000007402}6208C:\Windows\System32\mspaint.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BF,IMPHASH=B74E4EE6BBCE405BE73914241C9AF2C8trueMicrosoft WindowsValid 354300x8000000000000000169461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:21.378{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55377-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000169463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:25.459{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31131FF62AA9E0D402B19C229BD799F1,SHA256=7C74274751E8B5A7283A81BE8959B37BCA7C2E41BB440C29C2E3FAA25185B06B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.630{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.629{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.261{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.254{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.244{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.240{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.234{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.231{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.230{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.228{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.222{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.193{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.180{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.176{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.169{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.159{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.150{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.138{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.131{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.122{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.110{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.072{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.068{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000276300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.039{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C2095D8810EB011A5177A6CE1370DF,SHA256=BE8006BF07B85E710FE5DB425DA132CDB7B8FE2DFFA940F1DA7C3FF37EDFBAEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:26.545{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BA0386C776362980B1F1563DBF29B8,SHA256=8150BFCD47140FD59FCC52F8F5C06CD3CD8F698E426585AAB3B0D3B18A00C249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:26.156{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948E776BBA5C0956FF44C8A68F87D430,SHA256=B6DBE37EEDA11A4A2CFC1024F65C042BE0E1537746C03A10EFF33FBEB564026E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:27.644{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C835843A57E68EA0E25C1BA5A045D698,SHA256=8D0EF09C1F50AB2D49647DF05308DEB120926A84DE7F4EFC1BA046FC348F8296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:27.644{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:27.643{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:27.634{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:27.632{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:27.285{6820D070-DD04-6322-7906-000000007402}26567236C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:27.272{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:27.272{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:27.264{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A924C1C4937D8F5CF36D85C1701D04A,SHA256=9EA4065A92F693E1308056444A62F4306CEED430153811007B8F6A7C796FDBD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:23.948{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55378-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:28.738{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B012F4C284BBEA74BF91B008F7E5B73C,SHA256=DDCD2012188CF610C25F2B694FCA61EA03D1489328F84CEAAE3328B868F207E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.441{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.438{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.436{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.433{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.430{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.424{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.422{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.399{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.396{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.393{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.390{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.384{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.377{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.374{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.370{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.367{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.366{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.366{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.364{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.348{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.345{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.342{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.340{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.331{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.330{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.324{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.319{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.316{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.315{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.315{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.311{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.309{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.298{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.296{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000276350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.278{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28BD6F2751B79C1398A9FF167D1C6E6,SHA256=D8AF382CD563EA91FB2E3143B5D3F14D8C7C2B80572EDA15084224FF36A9FF5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000276349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.267{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.265{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.247{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.236{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.190{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.183{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.174{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.168{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.167{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.164{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.159{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.156{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.155{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.151{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.150{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000276334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:28.148{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 354300x8000000000000000276333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:25.718{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65525-false10.0.1.12-8000- 23542300x8000000000000000276386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:29.831{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\permissions.sqlite-journalMD5=7FD1A6A1A75E919AAF83F2577096F56C,SHA256=85B52E40819428814FE3CD13C6C333F0E0BD344E37B9E153D13228B333C45152,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:29.537{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4858D210640164AC93959A2E91BF5AD,SHA256=571E915999C05DF85F1F0684755D0631FC22ED010CC3E12462697B3361B5A5EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:29.762{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7A685D4D0595FC09047A2B7528FC3B,SHA256=5FF442A3D5E26F3AA1350A7A85DFAFC3DC8E3B94ED689E729A38930ADF99D4C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:30.611{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6158D83D9094E267FFE2B36C1737BBA,SHA256=F842261CD80A9247E51EA56A8FFEB94B292DA8EA4247D3238F388166CA6FF07C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:30.840{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D5F64A2E020EB0C2ECE9DC22B85079,SHA256=FC25EAE6C67C4E92253F1100D22FEE91EC7C3EE65CEF5A0572F622C1BD5FFE79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:31.922{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46CF4F53186FA5AAC12F2B383B42105,SHA256=D2D3A49F60B9FFE844F7A36630F2573FC0F8BAA6C012D958CD7F04D81D51AAB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:31.847{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4C68AFD2FC4F93D00252FE25B03712,SHA256=9DD5A32D6333B02E4EE4E8B0933533313CDB262880C60C0121B0C97FF92AACAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:31.324{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=18001D69C51720406A7C689CC527078C,SHA256=A1500AA98F68E25A81EA9BBAB9DF28586924169BBB9B6D58C9566974CB95CAD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:32.964{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5776FB3EF4E99BA0B3D187A18F6D31,SHA256=51F2A3D26710011523EAFF1FB4AE04E0F0BD5E90782CD4C0DAB1F893338ED20E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000169471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:29.019{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55379-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:33.979{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C798EAEE2FF1F8E1568F19C80F6F02,SHA256=98CCFCE0C52173B489E399023C09B9A40C693786149B9DBEA1DA3B0BC4122A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:33.033{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90952029975CB7CDEFD6C84DE5AFFBF6,SHA256=6613BD48E48B584E6819B6FF95F889437E093DD716A2D86F7FF5563EB450C4CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:34.995{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4A56E6C47015D894016C5852FDBADD,SHA256=F72DB0C91BFAEE9E627BA011BBA336910B12F3CA1194B43CD12128464602ACB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:34.349{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C41BE76F8225F01E48DBF3455D5A99AE,SHA256=E4D8A9DCAB4DE672FE8B92670F4C63C743FB8D6794F6FE1611814D17CE311769,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000276391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:31.674{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65526-false10.0.1.12-8000- 23542300x8000000000000000276393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:35.460{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767E2C990530CC285DBC0F1BE53EB341,SHA256=253C802EC5FAD248AA6A6CC111E57FD695D0DF2B7C328D6CBBE2012C187BED0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:36.769{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3026D364EA33B0146AB3AE60250282,SHA256=27B53C8F3A13D9316A0DD6BB7AFF23F3FCBD56D9D587708F575F944D2363876F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:36.116{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EDCB75255E8C20C1704EC821923448,SHA256=193B272AE9FA9F806B7A5E0ED51D91DA402390098CF2299AF017D74E6F42B046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:37.875{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10C8545C0E2A8EC1EFC49D33EE09385,SHA256=69B14A8E54C2270011DF33F13D9A1080C6C04D0EC150306565EDB59F455FB90A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:37.998{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:37.991{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:37.983{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:37.975{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:37.966{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:37.963{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000169476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:37.234{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA238A6852DD5B98F9CE0BDD9119A545,SHA256=A63A158F9F132D37393235A16F749277CE5AC047518D86274899237CFF61E9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:37.163{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\aborted-session-pingMD5=2C1874375140BD662E56B1D1431636EE,SHA256=0BF4A59F186D57E887656A822D4E2BA95EE4991BC64BABA6AA15F6F843EE17EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.551{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB19D655339AABCC8A1B72F1A29314E,SHA256=C1B9413FC879A5625C42BBEF5526F41865D32FE88AE9D752057DBF35E94746E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000169527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.336{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.334{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.331{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.329{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.328{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.314{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.313{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.313{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.310{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.306{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.303{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.300{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.292{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.290{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.268{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.253{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.241{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.205{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.199{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.183{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.169{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.165{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.163{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.159{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.157{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.153{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.150{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.149{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.144{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.133{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.128{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.125{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 354300x8000000000000000169495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:34.089{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55380-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000169494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.118{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.115{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.108{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.101{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.099{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.079{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.070{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.042{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.035{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.029{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.018{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000169483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:38.005{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000169529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:39.257{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDB0CECFBFEAACFCF6690B4198E822D,SHA256=A934FD87E05A4A123794E3C98D9AB100213CAFB39F1A31A114FFC82412D5173D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:39.182{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715A68F77505313E8E60555AC664A824,SHA256=B3F1356B679732A84C6F983899D666685F8938E39589F47FAE3640F400D6A574,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000276397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:36.693{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65527-false10.0.1.12-8000- 23542300x8000000000000000169531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:40.354{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9113EA37C55ACF55F4B402B9ACDD4413,SHA256=DC7577591CA2297DE23FE2A75D0D26DD19AFE644326CD7F797D6945382C8078D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:40.270{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A619D9B621EEB9625182B125350B71BD,SHA256=25CBF0C4874FBBA6ED4C4E366A33D82A850D0B38BE0F12576BD260B5402E1FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:40.316{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=2584535296666F5E57B69D5BA84EB942,SHA256=A618937CD20EB4112B573B948DC34308FDF65C3FF620795033A5D3611FCA3B22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:40.194{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A26F7673208FFBD58AD03EB8FE88FA3,SHA256=53FAB728F17869E70258133B4595F6D37CF141197959190721ABD3CC37D97EDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:41.502{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFB480CE3D659B10BD10C10D61E1226,SHA256=4B48771D9934E26E53B71A7C4C8E75EBE4878436038B174AD39DE05F6EFBE73A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:41.353{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3613F9D1693E0CE3F436EAF1A9AE7346,SHA256=B8AC9289ADEF8D0D138DF1B14923A0A94D19E85C0E7B0B4100A2892EC3B58CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:42.807{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165A160EBDB0DA7B25DA4417DC96C26E,SHA256=CDB705A404BEB1C1444BABEC1BC4C691E590259113F6E0474BFDBCD43ECCA5D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:42.458{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB37DAD72E22DA5FB762114108163FA,SHA256=53EC386C5225B5857BEE54AC4E469EF7CFA78B40C8E116544B38D7CEE5940767,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000169535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:42.054{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:42.054{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:42.054{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:43.911{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFC34D330AB165AD2C88F2A1DCF45EC,SHA256=17ECBE8AA9642B10BF094D054BC2BF0F7310DF662BE379F2E74CC9CDE12676A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:43.480{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099A873A230C939997BDAC0703A85160,SHA256=810BC8A0A9DBCDF18229EBA2446E5851D57EC1C8DC4925AB5AFD1A9336234CA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000169537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:39.901{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55381-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:44.577{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F4B3B4FB2AC8DD56E3106EB89F07AB,SHA256=76A7E8FDA743328DDB600A6EF44CE6520A3202542EFAC069D8A75F8A63A2E10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:45.662{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CD79BF402035104DE05DD93F3EFC0D,SHA256=A3A41917FBA17DA3EE56433E9E4AAFCD380697B597C02524AF4C8F1CA86FC198,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.801{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.795{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.360{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.351{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.340{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.336{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.323{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.320{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.315{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.313{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.307{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.277{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.261{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.256{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.248{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.237{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.224{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.204{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.194{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.181{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.170{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 354300x8000000000000000276407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:42.664{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65528-false10.0.1.12-8000- 23542300x8000000000000000276406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.119{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2246D77F2D0101B9EA1C2B181192BF8E,SHA256=41EF06AAFF687BD19276414FCA1136BFBFB32426F3D70AE76EA0B2DB21A821FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000276405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.106{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:45.103{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000169541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:46.779{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39FFDA68264807AEA8BC3A3D77CC5B2,SHA256=226416181A673959EBEB8B08A2D527E457F315C2AD51615CEAAC63FDD9070030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:46.579{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4D0715A0949C0136BECFDD16E0104C6F,SHA256=E76101788AA5ED9CB9195C980C76754DB20237323A701770B4881A6AC6343659,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:46.129{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714A53A1AA3C40F05AF691EB09D9AA6B,SHA256=406BAF3E373B8356CA4963A73F223BEE820BB58FE86A73D70972DCE12129C12C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:47.880{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC21A64828A08FBF3703638A9AFF87D,SHA256=9DF252026F2243FCD844EC9033F72C7D6D4CEA47478A8D47F374A048EAD4C5F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:47.818{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:47.815{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:47.807{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:47.804{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 734700x8000000000000000276438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:47.731{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000276437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:47.730{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000276436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:47.728{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000276435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:47.727{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000276434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:47.726{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000276433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:47.725{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000276432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:47.723{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:47.332{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422F7882D22EBDB58B3F67987AE8067D,SHA256=32AF699C113FC3E9D0B575AB2651772456686E6A6207FB7DF6D609C1E71DFBB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:47.727{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-4077-6323-920F-000000007502}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:47.727{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:47.727{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:47.727{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:47.727{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:47.727{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-4077-6323-920F-000000007502}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000169543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:47.727{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4077-6323-920F-000000007502}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000169542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:47.728{E743DC12-4077-6323-920F-000000007502}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000169571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.981{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-4078-6323-940F-000000007502}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.981{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.981{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.981{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.981{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.981{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-4078-6323-940F-000000007502}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000169565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.981{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4078-6323-940F-000000007502}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000169564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.983{E743DC12-4078-6323-940F-000000007502}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000169563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.966{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2542583BE03D413EEEA7BA654BD84F,SHA256=CBB3E2172887BB0062F364DE3E5600F6B3A98BD9D1AD400F9F53C9AE19756E1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.641{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-405F-6323-7E18-000000007402}7872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.638{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.634{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.631{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.627{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.621{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.620{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.598{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.594{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.587{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.586{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.581{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.571{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.568{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.564{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.561{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.560{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.559{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.558{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.545{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.544{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.542{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.540{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.528{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.527{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.524{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.521{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.518{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.517{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.517{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.513{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.510{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.501{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.499{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.472{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.470{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.452{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000276456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.445{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D63516C99D65541C69956887FD31EF2,SHA256=328BE24DA31BEE6B29F9AD6D3F975F2771DEF3328333519581DE7BC5FA13F7A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000276455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.443{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.387{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.379{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.360{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.354{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000169562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.844{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DB1690C6A0F2BB2C51D27D417913575,SHA256=A44E2C44B2B0CD8F4F71B061AA3200967FFEA466814F802844FDD1B46F717500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.614{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=678BB71E19ACC5DF0E1A81F872CADC52,SHA256=269B9D778B3EFE488371BCD57145AB58DCC8D1CD2BEC8E293B5BF4B85022E2C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000169560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.580{E743DC12-4078-6323-930F-000000007502}24923172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.396{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-4078-6323-930F-000000007502}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.396{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.396{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.396{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.396{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.396{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-4078-6323-930F-000000007502}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000169553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.396{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4078-6323-930F-000000007502}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000169552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:48.397{E743DC12-4078-6323-930F-000000007502}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000169551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:44.937{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55382-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000276450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.351{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.347{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.342{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.336{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.335{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.330{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.325{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 10341000x8000000000000000276443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.321{6820D070-DD11-6322-8606-000000007402}52805376C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001358A190) 23542300x8000000000000000276497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:49.873{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D982EC82CD9FFEDAB9CA6EA0D6E64C5,SHA256=98B8D9F57F287EE49ECC7AB47D8BC09A7ED35551C3E9D6336A1277580640C4D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:49.831{E743DC12-4079-6323-950F-000000007502}2380740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:49.650{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-4079-6323-950F-000000007502}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:49.648{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:49.648{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:49.647{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:49.647{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:49.647{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-4079-6323-950F-000000007502}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000169574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:49.647{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4079-6323-950F-000000007502}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000169573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:49.646{E743DC12-4079-6323-950F-000000007502}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000169572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:49.145{E743DC12-4078-6323-940F-000000007502}12322220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:49.399{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:49.399{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:49.399{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:50.973{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206FF5F972364BF7C04658761DC8ECF5,SHA256=7582F68CC956C86B23221B94F8821E194B717883DCA0484448244F6035F16030,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:50.485{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=FB7BBC523A1730A63A10925FF7160EE7,SHA256=99C57BE39E311CE088177B1503ACE54DA4C1BD12BFD587D1D1C7834C1F345900,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000276498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:48.626{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65529-false10.0.1.12-8000- 10341000x8000000000000000169590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.329{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-407A-6323-960F-000000007502}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.329{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.329{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.329{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.329{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.329{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-407A-6323-960F-000000007502}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000169584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.329{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-407A-6323-960F-000000007502}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000169583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.330{E743DC12-407A-6323-960F-000000007502}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000169582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.045{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7082F259BBBCD60DB2710A9C4A3E3E34,SHA256=B86102D6F2FA3463260522F99475D480C0DFF731BB99EC8A668FD533E449B4A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000169609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:51.830{E743DC12-407B-6323-980F-000000007502}15842496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:51.665{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-407B-6323-980F-000000007502}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:51.662{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:51.662{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:51.661{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-407B-6323-980F-000000007502}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000169604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:51.661{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:51.661{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:51.661{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-407B-6323-980F-000000007502}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000169601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:51.660{E743DC12-407B-6323-980F-000000007502}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000169600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:51.146{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F212D9CCE61F6426B27F675A2CF75C03,SHA256=38B4AC871A604FE8D7EDCFA747F06D9A841DFB9D19DF0FE0FD106A1C2DC7D6DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:51.083{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=11DA97A19989DF89BB13753BDAB2D84A,SHA256=BEFA035E7C7223C3129B90541187AE992BC973C9BF2A23FD56109711E813B3EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000169598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.998{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-407A-6323-970F-000000007502}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.998{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.998{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.998{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.998{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.998{E743DC12-D54F-6322-0500-000000007502}412528C:\Windows\system32\csrss.exe{E743DC12-407A-6323-970F-000000007502}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000169592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.998{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-407A-6323-970F-000000007502}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000169591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.999{E743DC12-407A-6323-970F-000000007502}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000169610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:52.147{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D01B2D52D1E497532C990288D5467F,SHA256=646FBB630E5B4AD504A229E1C4E3D3BD84F6968ABAC5E1D7F0E6D51B6B79621A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:52.075{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06C56B8D5125D5919EA5EC87BFF666B,SHA256=DDC0F283C8085964365284A1A4450E865171B4D3BA1AC53A38E7FF326B98821A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:53.247{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A53A4572825035E64A03B8391E2AD2,SHA256=580C0187B99A9C213DE1BC55A9924E309ACE236803F4A990AEDBFF2575F862A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:53.711{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F163731C5A9BDCB1575F9317588B3B36,SHA256=BDCF3315C3DDDE33B47273E397248906398E73CA14FAE41C7721B0DCAE6C8DC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:53.081{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A257C37947E68E6323A79D2526CE6CD0,SHA256=0836DCE63D914DE2A4B42B5CCCCECAA15E2BFC1396E2A2D85170C08ACA4D8A02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:54.385{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53AF6F294B1C2E5C80F8D868E327ECEB,SHA256=F791A3A9DC6C2800B37BA5F9A2E1C7DFC3421A1C582B6FD94FA5A1FC4AD7C1AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000169612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:50.888{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55383-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000276504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:54.189{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC34F38724F3BACC0732EC20F2A4E82,SHA256=0472D0C798FC90684A81D7B32695E4EAFEF8B32002C9C5E6F8196A4966EC9C1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:55.293{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2F195F2A37B38BBB2CCFB6126554CF,SHA256=06670A7ABAE11B09FE875F1D45F0861EC78A52599E6DA684E1F2DC13AD749D75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:55.485{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4731E5B122CF9804D552DE4F16D5B8,SHA256=BEF6B3EB9EEB6FAC6986AE94FB18BAD13B9295D9DD2CCDF1B3A3F690C59425A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:56.596{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0CFCE02E7ECEE204B324832F1E600EE,SHA256=C5025B931A6303C34B2698DC6D23ECC70E7E57363F0B6E8BB1B90E1A69AC9305,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:56.602{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3177338C9B1E97B9324355D7A02AA4BA,SHA256=A912E4818591C57657019BC03FB37C113515288D1ADC8AABE9BD28C4E13C23B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:54.500{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65530-false10.0.1.12-8000- 23542300x8000000000000000276509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:57.810{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4DBD68D28D5355791D256C61D1C6BACE,SHA256=AF985AACC010590AAFFF269C4883874269868B69B7446B5840D45B6D7A2CD3AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:57.702{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798EAC87906C01EA5D3D238D63D82835,SHA256=E1C4C07E2A6A8CF2EF58466A0DAF0155DE49230C712A669F94DA38E4F4B6A3B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:57.996{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:57.988{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:57.980{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:57.968{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:57.965{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000169616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:57.673{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E2BA445F3B52C77C2E12F8FF78B016,SHA256=2F0D4FBB8595E757E1565902278C287E36A0555B94E5051173B7BD0708DB7E28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:58.907{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69C50BE9006EEA1E680C48ED967D0BC,SHA256=D63D6B35638E75C334F3B297143BF378C254BCE6DF161A74D1F99CE5C2A7B6EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.873{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12371AA5A1CC56C4CFB7DF277D3FB27D,SHA256=64D808249FDDD9E3D419F3B641821EF1ABC1BA02D5B407CF76C195A91C7F885E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.873{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF90F3DE027FAB6657A882CEB32B889,SHA256=EBD7CCAA32A7F2CF395F15899AC052D19C634CF6413668A95B4737B40FE408C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000169666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.307{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.303{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.300{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.298{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.296{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.281{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.280{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.280{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.276{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.273{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.269{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.267{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.255{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.251{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.232{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.219{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.208{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.176{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.165{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.156{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.146{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.144{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.144{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.141{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.140{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.135{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.132{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.130{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.129{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.127{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.125{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.123{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.118{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.113{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.109{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.103{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.101{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.084{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.075{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.049{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.041{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.033{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.021{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.009{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:58.003{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000169671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:59.905{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B2E7A9EFAC5853CD595776E67143F7,SHA256=A1254F5AF9D7B4EF87C9F197060996229EECD515E7B82E6DD7F9AE08B9D182EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:59.925{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:59.923{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:59.922{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000276515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:10:59.096{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8540D214-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8540D214-0000-0000-0000-100000000000.XML 13241300x8000000000000000276514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:10:59.093{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BDD44E51-425D-47BA-BA16-AF37623148D4\Config SourceDWORD (0x00000001) 13241300x8000000000000000276513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:10:59.093{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BDD44E51-425D-47BA-BA16-AF37623148D4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BDD44E51-425D-47BA-BA16-AF37623148D4.XML 10341000x8000000000000000276512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:59.079{6820D070-D2EE-6322-0B00-000000007402}628804C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:59.079{6820D070-D2EE-6322-0B00-000000007402}628804C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000169670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:59.554{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-445MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000169669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:10:56.061{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55384-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:00.990{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D1F48FCEF657D270327E5DDD8F0541,SHA256=3CEF74CC21B7B978957F9C5FA4AAB6402C4EA39AEA8ACD56CFBDFD9553176590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:00.938{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=194C651B027D00381DBEC3171EEEA6BC,SHA256=8D4801FBE048D43F2179B9BBCC0FAF0970DFE2637EA09F126A23D2E9EBACAF3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000276526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:00.754{6820D070-D2EE-6322-0B00-000000007402}628804C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:00.751{6820D070-D2EE-6322-0B00-000000007402}628804C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:00.751{6820D070-D2EE-6322-0B00-000000007402}628804C:\Windows\system32\lsass.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000276523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:58.569{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:7805:3900:f880:ab2f:8c94:ffff-57771-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000276522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:58.569{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local57771-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000276521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:58.552{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local65531-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000276520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:58.552{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local65531-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 23542300x8000000000000000276519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:00.013{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79608669ABBBD0DC9536B051759AAE30,SHA256=B875680593B43BFF67B2B292BE1153959407E04137DA23305E18F2D86589BC66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:00.554{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-446MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:01.440{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7d109|C:\Program Files\Mozilla Firefox\xul.dll+e7d3e8|C:\Program Files\Mozilla Firefox\xul.dll+121687b|C:\Program Files\Mozilla Firefox\xul.dll+e79d77|C:\Program Files\Mozilla Firefox\xul.dll+e5eae7|C:\Program Files\Mozilla Firefox\xul.dll+1f88572|C:\Program Files\Mozilla Firefox\xul.dll+1a9930a|C:\Program Files\Mozilla Firefox\xul.dll+1a9be25|C:\Program Files\Mozilla Firefox\xul.dll+1887aa0|C:\Program Files\Mozilla Firefox\xul.dll+1c8a8b0|C:\Program Files\Mozilla Firefox\xul.dll+1e3b9f6|UNKNOWN(00000104A8127F45) 354300x8000000000000000276532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:59.532{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65533-false10.0.1.12-8000- 10341000x8000000000000000276531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:01.288{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7d109|C:\Program Files\Mozilla Firefox\xul.dll+e7d3e8|C:\Program Files\Mozilla Firefox\xul.dll+121687b|C:\Program Files\Mozilla Firefox\xul.dll+e79d77|C:\Program Files\Mozilla Firefox\xul.dll+e5eae7|C:\Program Files\Mozilla Firefox\xul.dll+1f88572|C:\Program Files\Mozilla Firefox\xul.dll+1a9930a|C:\Program Files\Mozilla Firefox\xul.dll+1a9be25|C:\Program Files\Mozilla Firefox\xul.dll+1887aa0|C:\Program Files\Mozilla Firefox\xul.dll+1c8a8b0|C:\Program Files\Mozilla Firefox\xul.dll+1e3b9f6|UNKNOWN(00000104A8127F45) 354300x8000000000000000276530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:59.389{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65532-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000276529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:10:59.389{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65532-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000276528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:01.119{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AEA7BE0775C27DC8DC679CBFCF57661,SHA256=B68603E6D3F79F189FE961A942E0D027B91E80D5DEA7ACAAD75707F2149DD4C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000276538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:00.816{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63019- 354300x8000000000000000276537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:00.815{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local51574- 354300x8000000000000000276536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:00.220{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65534-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000276535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:00.220{6820D070-D301-6322-2100-000000007402}2504C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65534-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000276534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:02.129{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44F04E13AA4EFCF37DEDD4079DB7A4A,SHA256=8D8B99A8283F1064203E01B46E3E219ABEAAD325C857543B3AB0C079B286EDFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:02.107{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F374A328F045A83F368554D6BAAF4CC6,SHA256=464150510F78D1C4BAFC2D727D8F53D673E6D7AFFD5A80EBE007C058C4D2FE34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:03.441{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:03.441{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000276542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:00.906{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local49152-false51.11.192.50-443https 23542300x8000000000000000276541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:03.233{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5083211E7BB6AB587F5F78B28E986A52,SHA256=9A237EB6FD8F1B970F006D02E51BC9DDAC60B9F72B9CCDBF3017BE3D08A3664A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:03.172{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671BF03BA0CC7D44D01DA50FEA873059,SHA256=AD04E101F5F226CA2996AA5697443BEAE14472F85F88083E21CC31B113032C6E,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000276540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:01.324{6820D070-EFF0-6322-ED08-000000007402}4396onedscolprdfrc04.francecentral.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000276539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:01.308{6820D070-EFF0-6322-ED08-000000007402}4396onedscolprdfrc04.francecentral.cloudapp.azure.com051.11.192.50;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000276547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:02.739{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local49153-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000276546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:02.739{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local49153-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000276545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:04.243{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3F30067F5916FE5A23DAD70CED4BE8,SHA256=05A9D798960BC0726F80AD41FFE2BA81EF4B0B0FCDDC512B1D0D7BD7E48648BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:01.914{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55385-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:04.309{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8482DA72A67B2F5E179BEBFA7F660E15,SHA256=6CA315D7BDD34B1B8A87585D59BB9B3852F533F2383F37E717A98B2600511B10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.667{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.666{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.286{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.274{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.266{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.262{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.256{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.251{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000276563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.251{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCBD976D7CC0442C593CCC3588354CF,SHA256=CB55FEA795C15ABCED359A91EA7340FCB9466A9EE1FB440035D95CF760DB4357,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000276562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.249{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.246{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000169678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:05.410{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D1E770551F3DEE14BB6A1A03CE491A,SHA256=E6B155CDD18199A5BB38E9B970C4E8D70197DF179CEF55AA0AC15E42B19DB259,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.240{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.212{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.197{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.192{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.182{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.167{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.158{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.147{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.139{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.127{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.119{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.069{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:05.067{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 354300x8000000000000000276573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:04.620{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local49154-false10.0.1.12-8000- 23542300x8000000000000000276572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:06.357{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1588D188E79F7067EEFF84742819115,SHA256=D83D80429CFE8B239DFAF50799840EC3362BFE33950445B2F73E2AF7EEAA73B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:06.496{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85F018B05FEF74D62ACA4DC374F7560,SHA256=D5376F44A7BF4A9AAA674B566F7566169BAD95AD99BAE95BD0C83C4398B63F92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.694{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.693{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.685{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.672{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.469{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.465{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF4B9CA047E0B0DC119515F9848295A1,SHA256=A43431365FB39A178A4E56AD4C1C4CDB359A932E5CB4BBA0E6DE5E982C8C2FD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000276585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.446{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\EsdSip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying .esd Electronic Software Distribution filesMicrosoft® Windows® Operating SystemMicrosoft CorporationESDSIP.DLLMD5=CDF191FF99AF7729029F5E098FF7D819,SHA256=53A7D390A146F888AF5FE3F1EF3859ECC58D9E0EA3AE27FDDF281CE14691568D,IMPHASH=E47F6D532615E6E31018F6C5A9EA62C1trueMicrosoft WindowsValid 734700x8000000000000000276584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.445{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying PowerShell script files (.ps1/.ps1xml)Microsoft® Windows® Operating SystemMicrosoft Corporationpwrshsip.dllMD5=5366DEE11C59571EC48B56020E8949DE,SHA256=EE5CDBEDA2067413ACB7B5E7B4AF53B40336148CA104D1671212B43737EB348C,IMPHASH=C93A45A26AACEA8208AA325C281035F0trueMicrosoft WindowsValid 734700x8000000000000000276583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.441{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000276582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.441{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\OpcServices.dll10.0.14393.2848 (rs1_release.190305-1856)Native Code OPC Services LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationOpcServices.dllMD5=991F8CCB43104DE3BD6E24A4D2BF870D,SHA256=8187C096A269D20742DEC9B651536F1C7A354D114B176179B1F4E090BB28E1F2,IMPHASH=F5D44AC1D5D2912F6B871FE7D5604CEDtrueMicrosoft WindowsValid 734700x8000000000000000276581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.437{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\AppxSip.dll10.0.14393.4169 (rs1_release.210107-1130)Appx Subject Interface PackageMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxSip.dllMD5=33AEB645167296EFE22E1BB64B63CBFC,SHA256=6E2B948F3CD7EEC6D9A9A864476F074FB5876E397916FF81A39B23976489AB52,IMPHASH=B062C097D0B3B0DCCA3ECC898B231E28trueMicrosoft WindowsValid 734700x8000000000000000276580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.432{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41,IMPHASH=EE821B7DB352A29DF6636AEB059E4519trueMicrosoft WindowsValid 734700x8000000000000000276579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.427{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msisip.dll5.0.14393.4704 (rs1_release.211004-1917)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=E05D3AEDC7E9A28DB9CE81C0C4D5DF91,SHA256=E57F53A4ADADE83595524BE8821C726882ABF0BA748471D3F4F502F4D8CDAECC,IMPHASH=9990E8AE89385588C988664086E258E7trueMicrosoft WindowsValid 11241100x8000000000000000276578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localDownloads2022-09-15 15:11:07.426{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\SC_administrator_WIN-DC-CTUS-ATT_2022_09_15_15_09_56(1).jpeg2022-09-15 15:11:07.425 11241100x8000000000000000276577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localDownloads2022-09-15 15:11:07.424{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\TvsQSwCJ.jpeg.part2022-09-15 15:11:07.423 23542300x8000000000000000276576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.424{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\TvsQSwCJ.jpeg.partMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000276575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localDownloads2022-09-15 15:11:07.423{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\TvsQSwCJ.jpeg.part2022-09-15 15:11:07.423 10341000x8000000000000000276574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:07.376{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7d109|C:\Program Files\Mozilla Firefox\xul.dll+e7d3e8|C:\Program Files\Mozilla Firefox\xul.dll+121687b|C:\Program Files\Mozilla Firefox\xul.dll+e79d77|C:\Program Files\Mozilla Firefox\xul.dll+e5eae7|C:\Program Files\Mozilla Firefox\xul.dll+1f88572|C:\Program Files\Mozilla Firefox\xul.dll+1a9930a|C:\Program Files\Mozilla Firefox\xul.dll+1a9be25|C:\Program Files\Mozilla Firefox\xul.dll+1e9f8e6|UNKNOWN(00000104A81232E3) 23542300x8000000000000000169680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:07.628{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132E6EEB72FCA6B3F24A194D7DB42BFC,SHA256=1181F2F4E102D5D3DAE83FC8BDB8F141488D29CF3968739B787E2EF6EEA6EF51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:08.713{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA18E6BC3DAF5D179AE352D0A44A932,SHA256=221F008F136B9F1628FE9D97768D0A1D13CE258709FE2F130F9C98ACFF95935C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.755{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A1306C6D3153C6C65C96DE8D8619A5,SHA256=04920E79EBE8CD9F23C5FDE96542BC799D31A7B37E9BF69E433CD0DCDAC84E4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000276640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.462{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.460{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.458{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.455{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.451{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.450{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.431{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.428{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.426{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.424{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.420{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.416{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.412{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.409{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.406{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.405{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.405{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.401{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.382{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.381{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.379{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.377{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.365{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.364{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.361{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.358{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.357{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.357{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.357{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.356{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.355{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.346{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.343{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.308{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.306{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.289{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.281{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.241{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.234{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.223{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.219{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.217{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.215{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.212{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.206{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.205{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.202{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.201{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 10341000x8000000000000000276592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:08.199{6820D070-DD11-6322-8606-000000007402}52805412C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136003D0) 23542300x8000000000000000169682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:09.783{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39270FF899B5B4EDE22397AFE26ED6F6,SHA256=A782E713F776102A8005DF5E5257B74DFB3EF1EEBAF4B4EEA91DD5BBAC28D858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:09.605{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131AD4B6A1C71546F05B58D47D6DD1E8,SHA256=91577F6FD8DF1F1759202F29E92E2595F4ECA5C5745E8E5F68040A6EDF8D7C98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:09.063{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FEF4FB7966CE3A521417F9C4DAFA12DC,SHA256=C5BCC5DE2A556BE12BA2245AED2C0DBEE984997092E5C36E1AFA0B0B7BEDB4B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:10.900{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018C7033F11059F2A1E8CB333E1D20A5,SHA256=061023B0A98E6BD5A12DD90CBECB7A58B54640FB7A01E483A99B08047E40B285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:10.609{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B198A1E5BAEA6BEA33BD6A5BCB6099,SHA256=4048F6109F154C126282BB0924DE7FDF51400DF48773F39DCA263E70BF1EEB35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:07.887{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55386-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:11.985{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43AF14726914E846928C09118E0C8562,SHA256=AF93E6A19560A79E6574586EDA81CFD5E86B371E31FE003C9F4A0530EC12F5C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:11.716{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3DCF0E29481DE7670C326575722901,SHA256=6102267A94130FB684A67CDA64926D5E568CE8C35E95AACB57B6E8D013E38121,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:12.821{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3D528B8DE334448B6EEDAC967E42C8,SHA256=747D54BF5587DE52044BE6EFFC07376242F804E95A792F1399597FE1D6720D59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000276649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:10.575{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local49155-false10.0.1.12-8000- 10341000x8000000000000000276648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:12.505{6820D070-DD04-6322-7906-000000007402}26567384C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:12.482{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:12.482{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:13.923{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D525DF21DD4A8A72DD69C7F44A8B7C,SHA256=0CFB3AFA7D6EE5395A76FF2DE8003078D0D98B25EC3E0DFA7B3C9C7EB1BFF59E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:13.101{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023A4C264894BE2A07AA34C270CD5921,SHA256=E9C1B8D5D73269A6DFE6189055A7578BC79A251592F3D8A103BE77F9501F4F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:14.217{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038A8701004A622F75434D8B08E151F1,SHA256=58477E5A5CDA22FA73A5D3F70F819C4EFCDE938D348D21F9160BD7A186E2BADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:14.659{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\entries\E541C8D393FA99CCF40397624167445D4C5AAC2BMD5=8E180A442194F175AFDADB03A76F60E8,SHA256=D0ED7A7FCE8882DC49CD9F35F204001DFBCC5E66A02D55A8DE7F198C763D8799,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:13.044{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55387-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:15.349{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B430F05CC3D08631445C85DDE3E696BF,SHA256=FD905C333274E66304467E43423AFD93FD34543CB602423DF5E8E0569CE0701C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:15.026{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99B7E63FA84EF46E912DEA5CBBE8B88,SHA256=786020318CAE88AB0C82BECC6C13894DCDADB615F0EA8D4D050F43F2F12CBFB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:16.434{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5997C5944D3A2CADF4245FAFC7E2E7,SHA256=DBC50C84EE94A665EEED6586B92366D56AAA7F261A8A8B0B901399A1B75D63BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:16.130{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4332A000B824F66C5C066072826CDE8,SHA256=18C495063BA849D50B74230F41C78402EBDF2631A4B5DAE874E920406CCC275D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000276656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:15.664{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local49156-false10.0.1.12-8000- 23542300x8000000000000000276655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:17.234{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C619F0156ED8E3D9AADD3BA464DBEC,SHA256=7A3961C7AAA2C427A6EE6DD1729C46FD0FA25C7B33A9291C1F8EBCCCF16FF527,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:17.995{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:17.982{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:17.980{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000169691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:17.519{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3234642A2A54CB57E76136611CA48D9,SHA256=0402C49FE1DBA504C2036BA9CCD0C275E22D288A0874BBB950A76578124BAAA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.606{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0129907D75622738F05C43985B6B7F6C,SHA256=395458235A84CADEAA004A0FC3F69F922C6C5656D33B604F01F75A59B2244626,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000276762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.835{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000276761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.835{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000276760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.834{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000276759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.833{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000276758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.832{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000276757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.832{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000276756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.831{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000276755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.831{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000276754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.824{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000276753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.824{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000276752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.823{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000276751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.820{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000276750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.820{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000276749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.819{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000276748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.819{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000276747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.819{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000276746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.819{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000276745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.819{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000276744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.818{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000276743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.818{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000276742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.818{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000276741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.818{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000276740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.818{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000276739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.818{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000276738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.818{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000276737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.818{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000276736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.818{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000276735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.818{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000276734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.817{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.817{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000276732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.817{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000276731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.817{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000276730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.817{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000276729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.817{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000276728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.817{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000276727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.817{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000276726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.816{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000276725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.816{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000276724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.816{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000276723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.815{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000276722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.814{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.813{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000276720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.813{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000276719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.812{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.812{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000276717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.812{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.812{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.811{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.811{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.811{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.811{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.810{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.536{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BC7D48BFA1E7D6429B504743D31D17,SHA256=BCA89A02DFC0A0AD5281F07EC8D419391CA580AC05A381408FBFA6722A70D04E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000276709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.341{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000276708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.339{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000276707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.339{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000169742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.506{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C0EB6462D5CC13D6F7F20D65818B2A,SHA256=55D44451EC8A34C793FF2DDBE245F5F0DE60DB39A4FFCD9594919D7C7BE78DCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000169741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.308{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 734700x8000000000000000276706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.163{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000276705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.163{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000276704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.161{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000276703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.160{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000276702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.158{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000276701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.158{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000276700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.157{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000276699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.152{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000276698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.150{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000276697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.150{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000276696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.150{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000276695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.150{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000276694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.149{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000276693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.149{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000276692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.149{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000276691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.149{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000276690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.149{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000276689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.149{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000276688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.149{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000276687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.149{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000276686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.149{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000276685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.149{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000276684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.148{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000276683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.147{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000276682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.147{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000276681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.147{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000276680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.147{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000276679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.147{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000276678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.146{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000276677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.146{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000276676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.146{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000276675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.145{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000276674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.145{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000276673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.145{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000276672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.145{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.144{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000276670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.144{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.143{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000276668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.143{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000276667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.142{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.142{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000276665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.142{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.142{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.142{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.142{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.142{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.142{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.139{6820D070-4096-6323-7F18-000000007402}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.104{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-455MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:18.048{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.304{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.301{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.298{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.297{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.283{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.282{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.282{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.278{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.274{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.271{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.269{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.262{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.260{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.232{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.220{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.212{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.187{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.181{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.170{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.165{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.164{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.162{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.160{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.158{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.155{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.153{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.152{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.149{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.148{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.146{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.144{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.140{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.138{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.134{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.129{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.127{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.116{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.108{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.081{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.070{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.065{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.057{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.041{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.034{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.026{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 10341000x8000000000000000169695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:18.012{E743DC12-DCF5-6322-7D03-000000007502}55365820C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000018FCC190) 23542300x8000000000000000169744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:19.673{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31CAFC726B8F6CB5198648280D6FC96,SHA256=7B0F029F9FFDED4051D48A27063D757583A23FD2723AFE424F30AE1DCF350206,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.936{6820D070-DD04-6322-7906-000000007402}26567384C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.936{6820D070-DD04-6322-7906-000000007402}26567384C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.935{6820D070-DD04-6322-7906-000000007402}26567384C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.933{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.933{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.933{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.932{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000276822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:17.504{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local49157-false10.0.1.12-8089- 734700x8000000000000000276821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.690{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000276820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.690{6820D070-4097-6323-8118-000000007402}5960772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.689{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000276818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.689{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000276817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.665{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\20944MD5=09B214784E7D05371732A5C7FFE0D80F,SHA256=023FC96DFFB55C8197CDE25968255C3AFC5B303D9A15B8687BAA24C333276232,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.664{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\21056MD5=049990AE27492BC4A4F8E58FD6933823,SHA256=836C2DAD1516CE4CBF90B2CC9F328A1A78C8068F73712B54C31D3D4A09826A58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.559{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C4B43C9FA22E52F6FB4E21E822B758,SHA256=293D415CFCA5088C29FD7FA5B68028C901EDFF621DBAF6C2E67D781A15CAF20D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000276814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.502{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000276813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.502{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000276812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.501{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000276811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.501{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000276810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.499{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000276809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.499{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000276808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.498{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000276807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.497{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000276806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.490{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000276805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.486{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000276804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.486{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000276803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.486{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000276802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.485{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000276801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.485{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000276800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.484{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000276799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.484{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.483{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000276797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.483{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000276796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.483{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000276795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.483{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000276794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.483{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000276793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.482{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000276792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.482{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000276791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.482{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000276790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.482{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000276789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.482{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000276788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.482{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000276787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.482{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000276786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.481{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000276785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.481{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000276784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.481{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000276783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.481{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000276782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.481{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000276781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.481{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000276780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.481{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000276779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.480{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.479{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000276777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.479{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000276776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.478{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.478{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000276774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.477{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.477{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.477{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.477{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.477{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.476{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.475{6820D070-4097-6323-8118-000000007402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.229{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=447C6460F449FCD235476EEC10B2E909,SHA256=678C61479976B6F4A84E75A801141269EAF2863400D07625A89D83725012FDD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.100{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-456MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000276765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.010{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000276764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.008{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000276763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:19.008{6820D070-4096-6323-8018-000000007402}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000169749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:20.772{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F4AF460C88CDB2536B8304A5339494,SHA256=0BEA8021CE09C742F78AA8FBD15E81C0FB266E0A8D90760E315292F129F56CF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.822{6820D070-4098-6323-8318-000000007402}73124032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.821{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000276931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.821{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000276930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.631{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000276929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.631{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000276928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.630{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000276927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.630{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000276926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.628{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000276925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.627{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000276924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.627{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000276923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.627{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000276922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.626{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000276921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.611{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000276920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.610{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000276919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.610{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000276918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.610{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000276917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.610{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000276916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.610{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000276915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.610{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000276914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.610{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000276913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.609{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000276912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.609{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000276911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.609{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000276910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.609{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000276909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.609{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000276908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.608{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000276907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.608{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000276906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.607{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000276905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.607{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000276904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.607{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000276903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.607{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000276902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.606{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000276901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.606{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000276900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.606{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000276899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.605{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000276898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.605{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000276897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.605{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000276896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.604{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.604{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000276894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.603{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.603{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000276892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.602{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000276891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.602{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.602{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000276889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.601{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.601{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.601{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.601{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.601{6820D070-D2EE-6322-0500-000000007402}412428C:\Windows\system32\csrss.exe{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.600{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.599{6820D070-4098-6323-8318-000000007402}7312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.598{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E0042FC2FC146F1C86B1D254547FDC,SHA256=063405A6C3B5045951C670A8FD4F9A7478902F5AAD345031AE1F7E5B7BE3242E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:20.372{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:20.372{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:20.372{E743DC12-D54F-6322-0B00-000000007502}6283780C:\Windows\system32\lsass.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:20.357{E743DC12-D54F-6322-0C00-000000007502}7283068C:\Windows\system32\svchost.exe{E743DC12-DCF5-6322-7D03-000000007502}5536C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.328{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000276880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.326{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000276879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.325{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000276878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.109{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000276877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.107{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000276876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.104{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000276875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.104{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000276874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.102{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000276873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.101{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000276872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.101{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000276871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.101{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000276870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.094{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000276869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.093{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000276868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.093{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000276867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.093{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000276866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.092{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000276865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.092{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000276864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.091{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000276863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.091{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000276862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.091{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000276861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.090{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000276860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.090{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.089{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000276858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.089{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000276857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.089{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000276856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.089{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000276855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.089{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000276854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.088{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000276853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.088{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000276852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.088{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000276851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.088{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000276850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.088{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000276849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.088{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000276848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.088{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000276847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.087{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000276846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.087{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000276845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.087{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000276844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.087{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000276843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.087{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000276842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.086{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.085{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000276840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.085{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000276839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.084{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.084{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000276837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.084{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.084{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.084{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.084{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.083{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.083{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.082{6820D070-4098-6323-8218-000000007402}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:20.078{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06FE5FD8FA8177E11CB10B5C1E432790,SHA256=F3714D21745F552D4A5224693DAC83087940F239792C37E609164E4BB1515D95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000277038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.972{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000277037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.971{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000277036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.971{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000277035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.970{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000277034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.968{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000277033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.968{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000277032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.967{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000277031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.967{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000277030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.960{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000277029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.960{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000277028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.960{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000277027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.959{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000277026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.959{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000277025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.958{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000277024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.958{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000277023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.958{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000277022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.958{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000277021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.958{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000277020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.958{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000277019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.957{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000277018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.957{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000277017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.957{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000277016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.957{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000277015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.957{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000277014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.957{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000277013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.957{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000277012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.956{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000277011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.956{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000277010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.956{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000277009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.954{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000277008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.954{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000277007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.953{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000277006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.953{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000277005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.953{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000277004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.953{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000277003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.952{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000277002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.951{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000277001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.951{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000277000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.950{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.950{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000276998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.950{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.950{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.949{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.949{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.949{6820D070-D2EE-6322-0500-000000007402}41292C:\Windows\system32\csrss.exe{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.949{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.948{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000276991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.821{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7d109|C:\Program Files\Mozilla Firefox\xul.dll+e7d3e8|C:\Program Files\Mozilla Firefox\xul.dll+121687b|C:\Program Files\Mozilla Firefox\xul.dll+e79d77|C:\Program Files\Mozilla Firefox\xul.dll+1231e36|C:\Program Files\Mozilla Firefox\xul.dll+cc66e|C:\Program Files\Mozilla Firefox\xul.dll+c52304|C:\Program Files\Mozilla Firefox\xul.dll+c5203b|C:\Program Files\Mozilla Firefox\xul.dll+18be779|C:\Program Files\Mozilla Firefox\xul.dll+1e9f84e|UNKNOWN(00000104A81232E3) 10341000x8000000000000000276990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.775{6820D070-DD04-6322-7906-000000007402}26567384C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.760{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.759{6820D070-DD04-6322-7906-000000007402}26565508C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.673{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F133918E999F968443F9539E6CFB2F9B,SHA256=316FDC2BC32DDC95D399050AF70841F4A84F5227B9B34181C216E21C43B9A6AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000276986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.660{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787365CC7CF5BAFF6FABFF8755DA967B,SHA256=32CED826F6F9D7E66EBB3FF23A1793A5D591AA28665A2126CA8E9CC0262D2DA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:21.825{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B828A70B09186BC827C5874F2788DC,SHA256=03BACD77FBC41D0E23FFE7B46DB9C3E37266FEA6E16E9470BB9DB0D606396D15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000169751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:19.014{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55388-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:21.188{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2DC6DB053DABACA1694C1CC607E05F37,SHA256=4D1FAE0A2A5B36DA30D6D28012BBECE246E51E555ABAE0BD2CAC1DF198EFDE6A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000276985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.463{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000276984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.462{6820D070-4099-6323-8418-000000007402}55007404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.453{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000276982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.453{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000276981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.288{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000276980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.288{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000276979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.287{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000276978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.286{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000276977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.285{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000276976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.284{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000276975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.284{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000276974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.283{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000276973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.277{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000276972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.277{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000276971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.276{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000276970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.276{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000276969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.276{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000276968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.275{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000276967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.275{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000276966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.275{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000276965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.274{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000276964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.274{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.274{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000276962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.274{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000276961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.274{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000276960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.274{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000276959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.273{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000276958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.273{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000276957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.273{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000276956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.273{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000276955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.273{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000276954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.273{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000276953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.273{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000276952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.272{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000276951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.272{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000276950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.272{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000276949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.272{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000276948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.272{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000276947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.270{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000276946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.270{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000276945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.269{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000276944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.269{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000276943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.267{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000276942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.267{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000276941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.266{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000276940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.266{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.266{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.265{6820D070-D2EE-6322-0500-000000007402}412528C:\Windows\system32\csrss.exe{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.266{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.265{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.264{6820D070-D358-6322-A300-000000007402}15603264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.262{6820D070-4099-6323-8418-000000007402}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-D2EE-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000169754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:22.936{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22CAB77F92BF01B30CE4EA522B61A25A,SHA256=1E7C6CF04334504A93B6EB2ABFF1840867B56DB16151E7380BC57A116B75793B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000277042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:22.207{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000277041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:22.207{6820D070-4099-6323-8518-000000007402}47806900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000277040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:22.207{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000277039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:22.206{6820D070-4099-6323-8518-000000007402}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000169753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:22.594{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:23.948{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C71A760F464FB16B9C322B277EEB7E33,SHA256=8E4A9335F8FA1E537E863BBE047D13B34A94A16F142DA0376CCA3552806EDA4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000277049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:23.891{6820D070-EFF0-6322-ED08-000000007402}43962168C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000277048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localDownloads2022-09-15 15:11:23.875{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\SC_administrator_WIN-DC-CTUS-ATT_2022_09_15_15_09_56(2).jpeg2022-09-15 15:11:23.875 11241100x8000000000000000277047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localDownloads2022-09-15 15:11:23.875{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\6VjCUoQS.jpeg.part2022-09-15 15:11:23.873 23542300x8000000000000000277046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:23.873{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\6VjCUoQS.jpeg.partMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000277045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localDownloads2022-09-15 15:11:23.873{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\6VjCUoQS.jpeg.part2022-09-15 15:11:23.873 354300x8000000000000000277044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:21.658{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local49158-false10.0.1.12-8000- 23542300x8000000000000000277043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:23.193{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6319C84C5939C6982607D278018D27,SHA256=DA5CE319AB948D1A6972FE72C1AA371EF87DD2E7F60D287A421079D0C2201845,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000277051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:24.210{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577C888DAE6D8CBC90A9A3089AED191C,SHA256=103E28A0B4692E8C90C8A2B0D417E2B8563EFDEF46AD5940098CCE0A609831FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000169756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:21.414{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55389-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000169755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:24.042{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C0066E479397CF6668E38B5298E627,SHA256=234115313AC2A3190DE472B87B7A362A91F787E4ED64075C3FBD7DE6186FEB8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.648{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.647{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000277073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.322{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7B8ACCC7766D4DB6CF40AF0C2F81FE,SHA256=6382BEB1636AC5F349946B49676AEE5E1406BD4DD22C80DE7FC978D5BE45208A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000277072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.277{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.268{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.256{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.255{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.240{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.237{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.234{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.232{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.226{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000169757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:25.112{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60940C0F21E5ED1099FDEF93311C573F,SHA256=A3F02EE7C73520DA600166160B82B6030F8B377D00F0C67E32B1CD968E0138FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.193{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.180{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.174{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.163{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.154{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.147{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.132{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.126{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.116{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.109{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.070{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:25.066{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 13241300x8000000000000000277086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 15:11:26.746{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000277085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 15:11:26.746{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01ac82f9) 13241300x8000000000000000277084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:11:26.746{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c90d-0x0b0736be) 13241300x8000000000000000277083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:11:26.746{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c915-0x6ccb9ebe) 13241300x8000000000000000277082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:11:26.746{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c91d-0xce9006be) 13241300x8000000000000000277081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 15:11:26.746{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000277080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 15:11:26.746{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01ac82f9) 13241300x8000000000000000277079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:11:26.746{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c90d-0x0b0736be) 13241300x8000000000000000277078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:11:26.746{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c915-0x6ccb9ebe) 13241300x8000000000000000277077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 15:11:26.746{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c91d-0xce9006be) 23542300x8000000000000000277076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:26.329{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC40737BF592456C8D6DE29C4EEE263,SHA256=E8FB75A4521E27A62075CF50676BB9706416A920C3FF370F4A1A4B642113EBC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:26.228{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B394E1C3B3FA180E4EEB2B972875DF,SHA256=ED7B6D24BA2CA8D14BC92A4BC99ED0698B60B241576012E4CEA3559D2F122C70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000169760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:24.955{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55390-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000169759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:27.345{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A495029DB75E94C6C1CB7B06E5DFE5,SHA256=FC76D413365EA29583C304E864E37EC64C08C43DC64D6BCC6277D45B011C83FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:27.664{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:27.663{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:27.657{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:27.655{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000277088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:27.335{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BA32A81C6A133E2E7D0F44D67A7D70,SHA256=7F0B9D4426D4A5D6521411E10920A9B1C9D07728BAA96A9AF3147055327E027A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000277087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:27.046{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\permissions.sqlite-journalMD5=09EEA896888257311FF57D01000BA39B,SHA256=8B7BFF69F09D335FB66C5B63071595163D6C964502DFD8BE614AA5624F68A8E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:28.461{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BCB0F11FB54CD265918B084C0560F9,SHA256=1E5F03E5641EC4D15F2413D0B030B92933E4F4AA2C6CDAC71CA6426D67D67662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.784{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35AF3D5B8AAB407395FDDE0D865A2FB,SHA256=2F1897F50496A49555646991AF0F05DC88D4F04D5C98FC2876B9E0E723AE9200,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000277141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.467{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FBC-6323-6618-000000007402}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.465{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3FB4-6323-6518-000000007402}8020C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.462{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3F02-6323-4F18-000000007402}5016C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.459{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3EFF-6323-4E18-000000007402}6024C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.454{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.453{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.428{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.419{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.408{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.405{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.402{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.399{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.397{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.394{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.393{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.393{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.393{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.389{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.368{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.366{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.363{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.360{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.347{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.346{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.344{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.341{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.336{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.335{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.335{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.332{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.329{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.320{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.318{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.293{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.291{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.273{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.264{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.219{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.207{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.197{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.192{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.190{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.187{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.184{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.181{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.180{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.176{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.175{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 10341000x8000000000000000277093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:28.172{6820D070-DD11-6322-8606-000000007402}52805304C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013038610) 23542300x8000000000000000169762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:29.578{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24EFA3B20F4BAC17C42923E86521E0DF,SHA256=7A0EBFA513F285F7DB834BF81EA6BCDF88017D8C39D09980F8C0FC6153343CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.814{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40F04110498CDAA8F8628996DC6BA88,SHA256=A79EAE5BD5BB4E8E6810A9C43F206D7FC692C640521E85137350E30F91C4EBE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000277203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.727{6820D070-D2F0-6322-0D00-000000007402}908900C:\Windows\system32\svchost.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.727{6820D070-D2F0-6322-0D00-000000007402}908900C:\Windows\system32\svchost.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.726{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.726{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.726{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.726{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.726{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.726{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.726{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.726{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.726{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.726{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.726{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.726{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.725{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.725{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.725{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.725{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.725{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.725{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.725{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.725{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.725{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.725{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.724{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.724{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.724{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.724{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.723{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.722{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.721{6820D070-D2F0-6322-0D00-000000007402}908928C:\Windows\system32\svchost.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000277144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:27.562{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local49159-false10.0.1.12-8000- 23542300x8000000000000000277143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:29.358{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6577C8E60715579B32ACCAA3E4269E,SHA256=837EA83887E04DDAC4BE697D0760F8886C5B58B5B2AA57E3EDB15ABFDB9BEFD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000277205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:30.385{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4798A4F7492C3F36F5B6668D863319D3,SHA256=34C36DE4404941378A4F68CD7990A17D1A459D0AA9622F4251C1D9DA9B8ACC44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:30.679{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C06DE0786DB877BCE9A789F4D31F9C,SHA256=F1A8F87AD1E8DD3A4ABF5A9BEDAB2A10DA07715AB801050F54B070D63D78AE22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000169764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:31.716{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97D03513C09EF44BCB88402C57DAB35,SHA256=BA9DEF5BAB0F41F4B18BA70DEE8AB01B831D9CE85281A027264CFE0DDE878F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:31.589{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC4078E07D6346DAD09526F3B613B4A,SHA256=69B10D707AA115F1D3725FB4BD604962779D66228979EBB7C09EDECE8891374D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000277207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:31.325{6820D070-D2F0-6322-1100-000000007402}496NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A414B010C91CB91824FBD4E14CAF73AD,SHA256=0AD8EADB6C4CF4D4847BABFD7D4950FB40D961C8F12A6A29E112581A9766197C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000277206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:31.249{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\xulstore.jsonMD5=03F37E505B3A116E485A63705560C357,SHA256=6B3030D490FC00A387F86B52D36A678F9F4D26B768740C74975674A1FFFB9B5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:32.816{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D1DA5D234C6D1A365E916E51932F50,SHA256=F2DDB95E167C992FD25A0B8228178CC7D4B1E74617A4EA3536C1C1147F01AA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:32.796{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A97AD66FE5F5AFDF831687428D34D45,SHA256=CB5E8DFC3373AE75BB86CD22C5E9791F299DEE8E70E664F273CDE6894FCFECE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000277210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:33.801{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F2ED371166E00EA4873D0D2CC15DF5,SHA256=EBBBCE00F1CFAB945EFA0080388BA77CC097B519E03CA74E453900EDE57ACD1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:33.832{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED7D438C4E6DD324B164B1F78B9A0EF,SHA256=488EE99CF76A1DB5D44260AF45E138604175972D88B2775D32969121DC5CEFCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000169766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:30.058{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55391-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000277212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:34.904{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D32BA6450D9527C01E794681A35A71AF,SHA256=1D111B9B29A1691D0079786EB141A4CD08A881804F62CD6D45236DD503EEAB8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:34.950{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F623ACE4AF1202C3188C30D6D04487C5,SHA256=EB1565F9F1CC8E07ADA32B7C165C91F8163FF96F8E9BD0E80B172C41D882F6E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000277211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:32.706{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local49160-false10.0.1.12-8000- 10341000x8000000000000000277216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:36.750{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000277215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:36.750{6820D070-DD04-6322-7906-000000007402}26564928C:\Windows\Explorer.EXE{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803FF2DBCD8)|UNKNOWN(FFFFECD22BFE7E08)|UNKNOWN(FFFFECD22BFE7F87)|UNKNOWN(FFFFECD22BFE2611)|UNKNOWN(FFFFECD22BFE3FDA)|UNKNOWN(FFFFECD22BFE2296)|UNKNOWN(FFFFF803FEFF1503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:36.749{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1acaa09.TMPMD5=AE83E3D1BED7E22F099EC37882555B7F,SHA256=19C20C1DAA5B1C1F7E9A0561569A10ABB7DBF1B544D26F74C2B5990D9C688508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000277213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:36.013{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C662F87C78D988D08F57E8757C04F65B,SHA256=CEAF6C612328C566649E3787E2FDAF5D289443B264AB399ECF69142DF06886F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:36.051{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349F9D78E99E21BB786C4B198E8332D5,SHA256=C1DFE1A505F1418ED877FCF886AB393475A86B7700C9B8C40AD32E820A470DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:37.786{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3A4008C682C9DAEA7672C1C54D403512,SHA256=E8E0152FF1F941FEE06E37E6B79300300210C84EC96618CB02BFAB6B395EBEE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000277217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:37.215{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A8D43B031D15BD778F0F355FDB4054,SHA256=37D471B0BD525BA457DCCF95611564F9F4AE16094B60FF81A7D67AC91CD3AB02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000169776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:37.998{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:37.991{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:37.982{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:37.974{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:37.966{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:37.963{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 23542300x8000000000000000169770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:37.183{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8B2E99339C98DE04258AAED7ED3A97,SHA256=490E68FB17894C0797E5B95222C67CB8917A6686521D619A18BC062DC51B93DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:38.533{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\permissions.sqlite-journalMD5=1AB3BD05C8647E570298C5E644227C88,SHA256=5720D5BBCE46FD11C498CC3179D7509D4C0745CD6079CD3C6458DC38FC27E6EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000277219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:38.320{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F7118EFC81F13EB06E9CEC7B617540,SHA256=051ECA58D992E90E6865BB3B868F37CDFAB249449D3353A95247F7E54BB73287,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.369{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7EC3F086AD4D7CF6790888D038A686,SHA256=F560733C1DAB2A73703A01467B85E6B1B3572D40686031C298B8F9FC23AFB18D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000169820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.340{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.337{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.334{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.330{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.328{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.309{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.308{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.307{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.303{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.300{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.297{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.294{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.287{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.285{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.262{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.246{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.235{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.207{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.200{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.188{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.183{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.181{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.179{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.176{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.175{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.170{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.162{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.161{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.159{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.158{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.156{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.154{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.147{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.136{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.132{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.126{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.115{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.100{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.092{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.059{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.050{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.041{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.031{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000169777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:38.016{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 23542300x8000000000000000277221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:39.627{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177D47AF31D11E8E8012C7D8CD70B5EC,SHA256=360D59F670072E4F0B57569DB273CFD5F57DC0898B72BA631A0637AADAD8D234,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:39.284{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C20E3955C02D18DE5455E831BD043C,SHA256=9C72E7CACAF5E760FD862A665D4A7AFDA8EA2C94E686EA56C8F6437E4D551011,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000169822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:36.062{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55392-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000277226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:40.732{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42A01CF8AD37B1EA0461F7A57968E0D,SHA256=75A08BF8564490ABB0C5272673B58E633E9D9DDF2F475DD50557AFC1AA66DD5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000169825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:40.403{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EBE4D1AB68E22DBE73766FB8C348B5,SHA256=77561D480D2752116D01E532D954FA4EDA8B30E5B98332EA53F1E8013BAB542D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:40.395{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2EC-6322-0100-000000007402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000277224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:40.387{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:40.297{6820D070-D2EE-6322-0B00-000000007402}6287656C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:40.286{6820D070-D2EE-6322-0B00-000000007402}628804C:\Windows\system32\lsass.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000169824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:11:40.287{E743DC12-D550-6322-1100-000000007502}992NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3C50CF1284D99B2B6169BA0C16B48095,SHA256=CAF8EB4EB7944F39EC1A42C9E696D3CF1A0069438C63635E17B0849A61055070,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000277238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:39.865{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local49166-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000277237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:39.865{6820D070-D2EC-6322-0100-000000007402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local49166-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000277236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:39.862{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local49165-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local49666- 354300x8000000000000000277235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:39.861{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local49165-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local49666- 354300x8000000000000000277234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:39.860{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local49164-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000277233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:39.860{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local49164-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000277232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:39.769{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local49163-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000277231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:39.769{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local49163-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000277230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:39.760{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local49162-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000277229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:39.760{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local49162-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000277228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:38.645{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local49161-false10.0.1.12-8000- 23542300x8000000000000000277227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:11:41.338{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EC0B826ECBF97CB0B1298AB33E2019F,SHA256=FBB56028F4753AED309F4E0D50D14521B446A41E703D636B17D1EF8654AB8954,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space